Supplemental Document : BIG-IP 16.0.0.1 Fixes and Known Issues

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 16.0.0

BIG-IP Analytics

  • 16.0.0

BIG-IP Link Controller

  • 16.0.0

BIG-IP LTM

  • 16.0.0

BIG-IP PEM

  • 16.0.0

BIG-IP AFM

  • 16.0.0

BIG-IP DNS

  • 16.0.0

BIG-IP FPS

  • 16.0.0

BIG-IP ASM

  • 16.0.0

BIG-IP Release Information

Version: 16.0.0.1
Build: 3.0

Note: This content is current as of the software release date
Updates to bug information occur periodically. For the most up-to-date bug data, see Bug Tracker.

Known Issues in BIG-IP v16.0.x

Vulnerability Fixes

ID Number CVE Solution Article(s) Description
935721-6 CVE-2020-8622, CVE-2020-8623, CVE-2020-8624 K82252291 ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624


Functional Change Fixes

None


Cumulative fix details for BIG-IP v16.0.0.1 that are included in this release

935721-6 : ISC BIND Vulnerabilities: CVE-2020-8622, CVE-2020-8623, CVE-2020-8624

Solution Article: K82252291



Known Issues in BIG-IP v16.0.x


TMOS Issues

ID Number Severity Solution Article(s) Description
934241-1 1-Blocking   TMM may core when using FastL4's hardware offloading feature
943109-1 2-Critical   Mcpd crash when bulk deleting Bot Defense profiles
942549-1 2-Critical   Dataplane INOPERABLE - Only 7 HSBs found. Expected 8
932437-1 2-Critical   Loading SCF file does not restore files from tar file
927033-3 2-Critical   Installer fails to calculate disk size of destination volume
915305-6 2-Critical   Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded
910201-4 2-Critical   OSPF - SPF/IA calculation scheduling might get stuck infinitely
908517-4 2-Critical   LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'
896217-1 2-Critical   BIG-IP GUI unresponsive
888341-8 2-Critical   HA Group failover may fail to complete Active/Standby state transition
886693-4 2-Critical   System may become unresponsive after upgrading
871561-6 2-Critical   Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'
856713-4 2-Critical   IPsec crash during rekey
842669-5 2-Critical   Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log
799001-8 2-Critical   Sflow agent does not handle disconnect from SNMPD manager correctly
785017-5 2-Critical   Secondary blades go offline after new primary is elected
780437-7 2-Critical   Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.
777389-6 2-Critical   In a corner case, for PostgreSQL monitor MCP process restarts
776393-4 2-Critical   Memory leak in restjavad causing restjavad to restart frequently with OOM
739507-4 2-Critical   Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check
739505-4 2-Critical   Automatic ISO digital signature checking not required when FIPS license active
737322-5 2-Critical   tmm may crash at startup if the configuration load fails
718573-4 2-Critical   Internal SessionDB invalid state
382363-2 2-Critical K30588577 min-up-members and using gateway-failsafe-device on the same pool.
943641-2 3-Major   IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfig
943577-1 3-Major   Full sync failure for traffic-matching-criteria with port list under certain conditions
943473-1 3-Major   LDAP monitor's test functionality has an incorrect and non-modifiable IP field in GUI
943045-3 3-Major   Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.
939541-1 3-Major   TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE
938145-2 3-Major   DAG redirects packets to non-existent tmm
936093-1 3-Major   Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline
935177-1 3-Major   IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm
934941-1 3-Major   Platform FIPS power-up self test failures not logged to console
934065-2 3-Major   The turboflex-low-latency and turboflex-dns are missing.
933329-1 3-Major   The process plane statistics do not accurately label some processes
932497-2 3-Major   Autoscale groups require multiple syncs of datasync-global-dg
932233-1 3-Major   '@' no longer valid in SNMP community strings
931629-4 3-Major   External trunk fdb entries might end up with internal MAC addresses.
930825-5 3-Major   System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors
928697-1 3-Major   Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT
928389-1 3-Major   GUI become inaccessible after importing certificate under import type 'certificate'
928353-1 3-Major   Error logged installing Engineering Hotfix: Argument isn't numeric
927941-6 3-Major   IPv6 static route BFD does not come up after OAMD restart
925797-1 3-Major   Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members
924493-1 3-Major   VMware EULA has been updated
923745-4 3-Major   Ctrl-Alt-Del reboots the system
922885-1 3-Major   BIG-IP Virtual Edition does not pass traffic on ESXi 6.5
922613-3 3-Major   Tunnels using autolasthop might drop traffic with ICMP route unreachable
922297-1 3-Major   TMM does not start when using more than 11 interfaces with more than 11 vCPUs
922185-2 3-Major   No support for LDAP referrals for ' cert-ldap system-auth'
922153-1 3-Major   Tcpdump is failing on tmm 0.x interfaces
921881-1 3-Major   Use of IPFIX log destination can result in increased CPU utilization
921361-3 3-Major   SSL client and SSL server profile names truncated in GUI
921149-4 3-Major   After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy
921121-5 3-Major   Tmm crash with iRule and a PEM Policy with BWC Enabled
920761-1 3-Major   Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values
920517-1 3-Major   Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI
919401-1 3-Major   Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed
919317-6 3-Major   NSM consumes 100% CPU processing nexthops for recursive ECMP routes
919185-1 3-Major   Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed
918409-1 3-Major   BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures
915829-3 3-Major   Particular Users unable to login with LDAP Authentication Provider
915825-1 3-Major   Configuration error caused by Drafts folder in a deleted custom partition while upgrading.
915557-1 3-Major   The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.
915497-1 3-Major   New Traffic Class Page shows multiple question marks.
915493-5 3-Major   imish command hangs when ospfd is enabled
914645-4 3-Major   Unable to apply LTM policies to virtual servers after running 'mount -a'
913849-2 3-Major   Syslog-ng periodically logs nothing for 20 seconds
913829-5 3-Major   i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence
913573-3 3-Major   Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.
909505-4 3-Major   Creating LTM data group external object fails.
909485-4 3-Major   Deleting LTM data-group external object incorrectly reports 200 when object fails to delete
909197-2 3-Major   The mcpd process may become unresponsive
908753-2 3-Major   Password memory not effective even when password policy is configured
908601-1 3-Major   System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option
907549-2 3-Major   Memory leak in BWC::Measure
906505-1 3-Major   Display of LCD System Menu cannot be configured via GUI on iSeries platforms
904845-1 3-Major   VMware guest OS customization works only partially in a dual stack environment.
904785-2 3-Major   Remotely authenticated users may experience difficulty logging in over the serial console
904705-1 3-Major   Cannot clone Azure marketplace instances.
904401-4 3-Major   Guestagentd core
903265-4 3-Major   Single user mode faced sudden reboot
902401-1 3-Major   OSPFd SIGSEGV core when 'ospf clear' is done on remote device
901989-1 3-Major   Boot_marker writes to /var/log/btmp
900933-3 3-Major   IPsec interoperability problem with ECP PFS
900485-1 3-Major   Syslog-ng 'program' filter does not work
899933-1 3-Major   Listing property groups in TMSH without specifying properties lists the entire object
899085-7 3-Major   Configuration changes made by Certificate Manager role do not trigger saving config
898705-6 3-Major   IPv6 static BFD configuration is truncated or missing
898577-1 3-Major   Executing a command in "mgmt tm" using iControl REST results in tmsh error
898461-1 3-Major   Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'
896817-1 3-Major   iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb
895837-4 3-Major   Mcpd crash when a traffic-matching-criteria destination-port-list is modified
893885-4 3-Major   The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation
893341-4 3-Major   BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445
892445-1 3-Major   BWC policy names are limited to 128 characters
891221-1 3-Major   Router bgp neighbor password CLI help string is not helpful
889029-1 3-Major   Unable to login if LDAP user does not have search permissions
888869-1 3-Major   GUI reports General Database Error when accessing Instances Tab of SSL Certificates
888081-5 3-Major   BIG-IP VE Migration feature fails for 1NIC
887117-3 3-Major   Invalid SessionDB messages are sent to Standby
887089-2 3-Major   Upgrade can fail when filenames contain spaces
886689-7 3-Major   Generic Message profile cannot be used in SCTP virtual
886649-1 3-Major   Connections stall when dynamic BWC policy is changed via GUI and TMSH
886273-4 3-Major   Unanticipated restart of TMM due to heartbeat failure
884729-1 3-Major   The vCMP CPU usage stats are incorrect
883149-2 3-Major   The fix for ID 439539 can cause mcpd to core.
882833-1 3-Major   SELinux issue cause zrd down
882709-5 3-Major   Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors in this release
882609-2 3-Major   ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back
881085-4 3-Major   Intermittent auth failures with remote LDAP auth for BIG-IP managment
880625-4 3-Major   Check-host-attr enabled in LDAP system-auth creates unusable config
880165-3 3-Major   Auto classification signature update fails
879969-6 3-Major   FQDN node resolution fails if DNS response latency >5 seconds
879405-3 3-Major   Incorrect value in Transparent Nexthop property
871705-7 3-Major   Restarting bigstart shuts down the system
865177-5 3-Major   Cert-LDAP returning only first entry in the sequence that matches san-other oid
862937-4 3-Major   Running cpcfg after first boot can result in daemons stuck in restart loop
862525-7 3-Major   GUI Browser Cache Timeout option is not available via tmsh
858197-5 3-Major   Merged crash when memory exhausted
844925-4 3-Major   Command 'tmsh save /sys config' fails to save the configuration and hangs
844085-5 3-Major   GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address
839121-4 3-Major   A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade
828789-4 3-Major   Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters
820845-5 3-Major   Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.
814585-8 3-Major   PPTP profile option not available when creating or modifying virtual servers in GUI
807837-1 3-Major   Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.
807337-6 3-Major   Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.
806073-8 3-Major   MySQL monitor fails to connect to MySQL Server v8.0
803833-6 3-Major   On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host
798885-5 3-Major   SNMP response times may be long due to processing burden of requests
797829-7 3-Major   The BIG-IP system may fail to deploy new or reconfigure existing iApps
788577-8 3-Major   BFD sessions may be reset after CMP state change
780745-4 3-Major   TMSH allows creation of duplicate community strings for SNMP v1/v2 access
778041-4 3-Major   tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)
775797-4 3-Major   Previously deleted user account might get authenticated
762097-4 3-Major   No swap memory available after upgrading to v14.1.0 and above
760932-2 3-Major   Part of APM log messages are also in other logs when strings are long
760354-2 3-Major   Continual mcpd process restarts after removing big logs when /var/log is full
759737-4 3-Major   Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests
759564-1 3-Major   GUI not available after upgrade
757787-4 3-Major   Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI.
756139-5 3-Major   Inconsistent logging of hostname files when hostname contains periods
755976-5 3-Major   ZebOS might miss kernel routes after mcpd deamon restart
749757 3-Major   -s option in qkview help does not indicate maximum size
741702-1 3-Major   TMM crash
740589-5 3-Major   Mcpd crash with core after 'tmsh edit /sys syslog all-properties'
725646-1 3-Major   The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly
714176-6 3-Major   UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed
692218-7 3-Major   Audit log messages sent from the primary blade to the secondaries should not be logged.
690928-2 3-Major   System posts error message: 01010054:3: tmrouted connection closed
675911-10 3-Major K13272442 Different sections of the GUI can report incorrect CPU utilization
662301-1 3-Major   'Unlicensed objects' error message appears despite there being no unlicensed config
658850-4 3-Major   Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP
499348-12 3-Major   System statistics may fail to update, or report negative deltas due to delayed stats merging
489572-6 3-Major K60934489 Sync fails if file object is created and deleted before sync to peer BIG-IP
486712-8 3-Major   GUI PVA connection maximum statistic is always zero
469724-4 3-Major   When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire
431503-9 3-Major K14838 TMSH crashes in rare initial tunnel configurations
398683-5 3-Major K12304 Use of a # in a TACACS secret causes remote auth to fail
385013-1 3-Major   Certain user roles do not trigger a sync for a 'modify auth password' command
939757-5 4-Minor   Deleting a virtual server might not trigger route-injection update.
933461-5 4-Minor   BGP multi-path candidate selection does not work properly in all cases.
927441-4 4-Minor   Guest user not able to see virtual server details when ASM policy attached
924429-1 4-Minor   Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values
921065-2 4-Minor   BIG-IP systems not responding to DPD requests from initiator after failover
919861-2 4-Minor   Tunnel Static Forwarding Table does not show entries per page
919745-1 4-Minor   CSV files downloaded from the Dashboard have the first row with all 'NaN
918209-4 4-Minor   GUI Network Map icons color scheme is not section 508 compliant
915141-1 4-Minor   Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'
914761-4 4-Minor   Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.
910645-2 4-Minor   Upgrade error 'Parsing default XML files. Failed to parse xml file'
908453-4 4-Minor   Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly
906889-2 4-Minor   Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.
906449-1 4-Minor   Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load
902417-6 4-Minor   Configuration error caused by Drafts folder in a deleted custom partition
901985-7 4-Minor   Extend logging for incomplete HTTP requests
901669-5 4-Minor   Error status in "show cm failover-status" after MGMT-IP change
899097-3 4-Minor   Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking
896693-5 4-Minor   Patch installation is failing for iControl REST endpoint.
896689-5 4-Minor   Asynchronous tasks can be managed via unintended endpoints
893813-4 4-Minor   Modifying pool enables address and port translation in TMUI
893093-1 4-Minor   An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.
892677-6 4-Minor   Loading config file with imish adds the newline character
890277-4 4-Minor   Full config sync to a device group operation takes a long time when there are a large number of partitions.
882713-2 4-Minor   BGP SNMP trap has the wrong sysUpTime value
864757-4 4-Minor   Traps that were disabled are enabled after configuration save
860573-4 4-Minor   LTM iRule validation performance improvement by tracking procedure/event that have been validated
817989-2 4-Minor   Cannot change managemnet IP from GUI
807309-4 4-Minor   Incorrect Active/Standby status in CLI Prompt after failover test
779857-3 4-Minor   Misleading GUI error when installing a new version in another partition
759590-7 4-Minor   Creation of RADIUS authentication fails with service types other than 'authenticate only'
753536-4 4-Minor   REST no longer requires a token to login for TACACS use
751103-1 4-Minor   TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop
742753-6 4-Minor   Accessing the BIG-IP system's WebUI via special proxy solutions may fail
742105-4 4-Minor   Displaying network map with virtual servers is slow
713183-5 4-Minor   Malformed JSON files may be present on vCMP host
712241-7 4-Minor   A vCMP guest may not provide guest health stats to the vCMP host
696363-5 4-Minor   Unable to create SNMP trap in the GUI
689147-4 4-Minor   Confusing log messages on certain user/role/partition misconfiguration when using remote role groups
675772-3 4-Minor   IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy
673573-7 4-Minor   tmsh logs boost assertion when running child process and reaches idle-timeout
658943-4 4-Minor   Errors when platform-migrate loading UCS using trunks on vCMP guest
646768-5 4-Minor K71255118 VCMP Guest CM device name not set to hostname when deployed
603693-1 4-Minor K52239932 Brace matching in switch statement of iRules can fail if literal strings use braces
528894-5 4-Minor   Config sync after sub-partition config changes results extra lines in the partition's conf file


Local Traffic Manager Issues

ID Number Severity Solution Article(s) Description
942921-1 2-Critical   TMM leaking packets due to error handling
937777-1 2-Critical   The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.
937649-1 2-Critical   Flow fwd broken with statemirror.verify enabled and source-port preserve strict
935193-2 2-Critical   With APM and AFM provisioned, single logout ( SLO ) fails
927633-1 2-Critical   Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic
926985-1 2-Critical   HTTP/3 aborts stream on incomplete frame headers
911041-4 2-Critical   Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash
910653-6 2-Critical   iRule parking in clientside/serverside command may cause tmm restart
910213-1 2-Critical   LB::down iRule command is ineffective, and can lead to inconsistent pool member status
886045-1 2-Critical   Multi-NIC instances fail to come up when trying to use memory-mapped virtio device
851385-2 2-Critical   Failover takes too long when traffic blade failure occurs
835505-5 2-Critical   Tmsh crash potentially related to NGFIPS SDK
824437-8 2-Critical   Chaining a standard virtual server and an ipother virtual server together can crash TMM.
758491-4 2-Critical   When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys
625807-2 2-Critical   Tmm cores in bigproto_cookie_buffer_to_server
942217-4 3-Major   Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'
938309-1 3-Major   In-TMM Monitors time out unexpectedly
935793-1 3-Major   With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)
934993-1 3-Major   BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams
934697-4 3-Major   Route domain not reachable (strict mode)
932857-1 3-Major   Delays marking Nodes or Pool Members DOWN with in-TMM monitoring
932461-4 3-Major   Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.
930005-1 3-Major   Recover previous QUIC cwnd value on spurious loss
928857-1 3-Major   Use of OCSP responder may leak X509 store instances
928805-1 3-Major   Use of OCSP responder may cause memory leakage
928789-1 3-Major   Use of OCSP responder may leak SSL handshake instances
927713-3 3-Major   Secondary blade IPsec SAs lost after standby reboot using clsh reboot
927569-1 3-Major   HTTP/3 rejects subsequent partial SETTINGS frames
926929-4 3-Major   RFC Compliance Enforcement lacks configuration availability
926757-3 3-Major   ICMP traffic to a disabled virtual-address might be handled by a virtual-server.
926513-1 3-Major   HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.
922641-5 3-Major   Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow
922413-1 3-Major   Excessive memory consumption with ntlmconnpool configured
921541-2 3-Major   When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.
920789-1 3-Major   UDP commands in iRules executed during FLOW_INIT event fail
920205-3 3-Major   Rate shaping might suppress TCP RST
918277-1 3-Major   Slow Ramp does not take into account pool members' ratio weights
916589-1 3-Major   QUIC drops 0RTT packets if CID length changes
915713-1 3-Major   Support QUIC and HTTP3 draft-29
915689-2 3-Major   HTTP/2 dynamic header table may fail to identify indexed headers on the response side.
915605-2 3-Major   Image install fails if iRulesLX is provisioned and /usr mounted read-write
915281-3 3-Major   Do not rearm TCP Keep Alive timer under certain conditions
913385-2 3-Major   TMM generates core while deleting iFiles
913249-1 3-Major   Restore missing UDP statistics
912517-1 3-Major   MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured
912425-4 3-Major   Modification of in-tmm monitors may result in crash
912293-4 3-Major   Persistence might not work properly on virtual servers that utilize address lists
911777-1 3-Major   BIG-IP SSL forward proxy might drop connection to servers with revoked certificate status.
910673-1 3-Major   Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'
910521-1 3-Major   Support QUIC and HTTP draft-28
910273-1 3-Major   SSL Certificate version always displays as '1' in the GUI
910105 3-Major   Partial HTTP/2 payload may freeze on the BIG-IP system
909997-2 3-Major   Virtual server status displays as unavailable when it is accepting connections
909677-1 3-Major   HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted
907177-1 3-Major   Priority of embedded APM iRules is ignored
905477-1 3-Major   The sdmd daemon cores during config sync when multiple devices configured for iRules LX
904625-1 3-Major   Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync
904041-1 3-Major   Ephemeral pool members may be incorrect when modified via various actions
903581-4 3-Major   The pkcs11d process cannot recover under certain error condition
902377-3 3-Major   HTML profile forces re-chunk even though HTML::disable
901929-1 3-Major   GARPs not sent on virtual server creation
901569-3 3-Major   Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.
898733-4 3-Major   SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM
898685-5 3-Major   Order of ciphers changes after updating cipher group
897185-4 3-Major   Resolver cache not using random port distribution
895205-1 3-Major   A circular reference in rewrite profiles causes MCP to crash
895165-1 3-Major   Traffic-matching-criteria with "any" protocol overlaps with explicit protocols
893281-2 3-Major   Possible ssl stall on closed client handshake
892801-1 3-Major   When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"
892485-3 3-Major   A wrong OCSP status cache may be looked up and re-used during SSL handshake.
892385-5 3-Major   HTTP does not process WebSocket payload when received with server HTTP response
891373-1 3-Major   BIG-IP does not shut a connection for a HEAD request
891145-6 3-Major   TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal
889165-4 3-Major   "http_process_state_cx_wait" errors in log and connection reset
887045-2 3-Major   The session key does not get mirrored to standby.
885325-1 3-Major   Stats might be incorrect for iRules that get executed a large number of times
883049-1 3-Major   Statsd can deadlock with rrdshim if an rrd file is invalid
882549-1 3-Major   Sock driver does not use multiple queues in unsupported environments
881065-3 3-Major   Adding port-list to Virtual Server changes the route domain to 0
879413-7 3-Major   Statsd fails to start if one or more of its *.info files becomes corrupted
872981-4 3-Major   MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction
870349-2 3-Major   Continuous restart of ntlmconnpool after license reinstall
870309-3 3-Major   Ephemeral pool member not created when FQDN resolves to new IP address
867985-5 3-Major   LTM policy with a 'shutdown' action incorrectly allows iRule execution
858701-5 3-Major   Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x
854129-1 3-Major   SSL monitor continues to send previously configured server SSL configuration after changes (removal/modification)
852325-6 3-Major   HTTP2 does not support Global SNAT
846977-6 3-Major   TCP:collect validation changed in 12.0.0: the first argument can no longer be zero
842137-2 3-Major   Keys cannot be created on module protected partitions when strict FIPS mode is set
816953-2 3-Major   RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy
803629-8 3-Major   SQL monitor fails with 'Analyze Response failure' message even if recv string is correct
803233-6 3-Major   Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable
794417-5 3-Major   Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not
794385-4 3-Major   BGP sessions may be reset after CMP state change
793669-6 3-Major   FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value
785877-4 3-Major   VLAN groups do not bridge non-link-local multicast traffic.
785361-2 3-Major   In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped
780857-1 3-Major   HA failover network disruption when cluster management IP is not
778501-3 3-Major   LB_FAILED does not fire on failure of HTTP/2 server connection establishment
767217-4 3-Major   Under certain conditions when deleting an iRule, an incorrect dependency error is seen
766593-6 3-Major   RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20
764969-1 3-Major   ILX no longer supports symlinks in workspaces as of v14.1.0
762137-4 3-Major   Ping6 with correctly populated NDP entry fails
757029-7 3-Major   Ephemeral pool members may not be created after config load or reboot
756313-8 3-Major   SSL monitor continues to mark pool member down after restoring services
751451-1 3-Major   When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles
738045-8 3-Major   HTTP filter complains about invalid action in the LTM log file.
723112-7 3-Major   LTM policies does not work if a condition has more than 127 matches
717346-8 3-Major K13040347 [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total
714642-7 3-Major   Ephemeral pool-member state on the standby is down
705387-4 3-Major   HTTP/2, ALPN and SSL
700639-1 3-Major   The default value for the syncookie threshold is not set to the correct value
699758-3 3-Major   Intermittent connection resets are seen in HTTP/2 gateway when HTTP/2 preface is sent to server
696755-6 3-Major   HTTP/2 may truncate a response body when served from cache
940837-3 4-Minor   The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.
936557-1 4-Minor   Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.
935593-5 4-Minor   Incorrect SYN re-transmission handling with FastL4 timestamp rewrite
932937-1 4-Minor   HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.
932553-5 4-Minor   An HTTP request is not served when a remote logging server is down
932045-4 4-Minor   Memory leak with umem_alloc_80 through creating/deleting LTM node object
931469-8 4-Minor   Redundant socket close when half-open monitor pings
929429-1 4-Minor   Oracle database monitor uses excessive CPU when FIPS is licensed
926997-2 4-Minor   QUIC HANDSHAKE_DONE profile statistics are not reset
922005-2 4-Minor   Stats on a certain counter for web-acceleration profile may show excessive value
921477-1 4-Minor   Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.
916485-3 4-Minor   Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object
914681-1 4-Minor   Value of tmm.quic.log.level can differ between TMSH and GUI
914589-1 4-Minor   VLAN Failsafe timeout is not always respected
907045-1 4-Minor   QUIC HANDSHAKE_DONE is sent at the end of first flight
898753-6 4-Minor   Multicast control-plane traffic requires handling with AFM policies
898201-1 4-Minor   Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.
869565-2 4-Minor   Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN
869553-2 4-Minor   HTTP2::disable fails for server side allowing HTTP/2 traffic
829021-2 4-Minor   BIG-IP does not account a presence of http2 profile when response payload is modified
822245-1 4-Minor   Large number of in-TMM monitors results in some monitors being marked down
808409-5 4-Minor   Unable to specify if giaddr will be modified in DHCP relay chain
760590-5 4-Minor   TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server
758435-3 4-Minor   Ordinal value in LTM policy rules sometimes do not work as expected
738032-4 4-Minor   BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.
898929-5 5-Cosmetic   Tmm might crash when ASM, AVR, and pool connection queuing are in use
897437-6 5-Cosmetic   First retransmission might happen after syn-rto-base instead of minimum-rto.
873249-6 5-Cosmetic   Switching from fast_merge to slow_merge can result in incorrect tmm stats
860277-5 5-Cosmetic   Default value of TCP Profile Proxy Buffer High Low changed in 14.1


Global Traffic Manager (DNS) Issues

ID Number Severity Solution Article(s) Description
940733-4 2-Critical   Downgrading a FIPS-enabled BIG-IP system results in a system halt
931149-2 2-Critical   Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings
919553-1 2-Critical   GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.
918597-6 2-Critical   Under certain conditions, deleting a topology record can result in a crash.
918169-4 2-Critical   The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.
916753-1 2-Critical   RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core
850509-4 2-Critical   'Decryption of the field (privatekey) for object (13079) failed' message
837637-5 2-Critical   Orphaned bigip_gtm.conf can cause config load failure after upgrading
788465-6 2-Critical   DNS cache idx synced across HA group could cause tmm crash
783125-5 2-Critical   iRule drop command on DNS traffic without Datagram-LB may cause TMM crash
936777-1 3-Major   Old local config is synced to other devices in the sync group.
936417-4 3-Major   DNS/GTM daemon big3d does not accept ECDH or DH ciphers
936361-2 3-Major   IPv6-based bind (named) views do not work
935945-2 3-Major   GTM HTTP/HTTPS monitors cannot be modified via GUI
935249-1 3-Major   GTM virtual servers have the wrong status
926593-1 3-Major   GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'
921625-1 3-Major   The certs extend function does not work for GTM/DNS sync group
921549-3 3-Major   The gtmd process does not receive updates from local big3d.
920817-7 3-Major   DNS Resource Records can be lost in certain circumstances
918693-5 3-Major   Wide IP alias validation error during sync or config load
913917-1 3-Major   Unable to save UCS
912761-1 3-Major   Link throughput statistics are different
912001-2 3-Major   TMM cores on secondary blades of the Chassis system.
911241-7 3-Major   The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug
908829-2 3-Major   The iqsyncer utility may not write the core file for system signals
908801-2 3-Major   SELinux policies may prevent from iqsh/iqsyncer dumping core
903521-1 3-Major   TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'
899253-1 3-Major   [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist
898093-3 3-Major   Removing one member from a WideIP removes it from all WideIPs.
894081-1 3-Major   The Wide IP members view in the WebUI may report the incorrect status for a virtual server.
847105-1 3-Major   The bigip_gtm.conf is reverted to default after rebooting with license expired
789421-5 3-Major   Resource-administrator cannot create GTM server object through GUI
886145-1 4-Minor   The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.
708680-4 4-Minor   TMUI is unable to change the Alias Address of DNS/GTM Monitors


Application Security Manager Issues

ID Number Severity Solution Article(s) Description
904593-3 2-Critical   Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled
887621-3 2-Critical   ASM virtual server names configuration CRC collision is possible
854001-1 2-Critical   TMM might crash in case of trusted bot signature and API protected url
791669-3 2-Critical   TMM might crash when Bot Defense is configured for multiple domains
943441-1 3-Major   Issues in verification of Bot Defense with Anti-Bot Mobile SDK™
941853-5 3-Major   Logging Profiles do not disassociate from virtual server when multiple changes are made
929077-3 3-Major   Bot Defense Whitelist does not apply when using default Route Domain and XFF header
923221-2 3-Major   BD does not use all the CPU cores
922261-1 3-Major   WebSocket server messages are logged even it is not configured
921677-1 3-Major   Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.
920961-1 3-Major   Devices incorrectly report 'In Sync' after an incremental sync
920197-4 3-Major   Brute force mitigation can stop mitigating without a notification
918081-2 3-Major   Application Security Administrator role cannot create parent policy in the GUI
914277-1 3-Major   [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU
913761-1 3-Major   Security - Options section in navigation menu is visible for only Administrator users
913757-2 3-Major   Error viewing security policy settings for virtual server with FTP Protocol Security
913137-2 3-Major   No learning suggestion on ASM policies enabled via LTM policy
912089-1 3-Major   Some roles are missing necessary permission to perform Live Update
910253-3 3-Major   BD error on HTTP response after upgrade
907337-1 3-Major   BD crash on specific scenario
907025-4 3-Major   Live update error" 'Try to reload page'
903357-4 3-Major   Bot defense Profile list is loads too slow when there are 750 or more Virtual servers
901061-1 3-Major   Safari browser might be blocked when using Bot Defense profile and related domains.
900797-1 3-Major   Brute Force Protection (BFP) hash table entry cleanup
900789-1 3-Major   Alert before Brute Force Protection (BFP) hash are fully utilized
898825-1 3-Major   Attack signatures are enforced on excluded headers under some conditions
898741-1 3-Major   Missing critical files causes FIPS-140 system to halt upon boot
893061-4 3-Major   Out of memory for restjavad
892653-4 3-Major   Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI
891181-1 3-Major   Wrong date/time treatment in logs in Turkey/Istambul timezone
890825-1 3-Major   Attack Signatures and Threat Campaigns filter incorrect behaviour
888289-7 3-Major   Add option to skip percent characters during normalization
887265-3 3-Major   BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration
703678-4 3-Major   Cannot add 'secure' attributes to several ASM cookies
941929-3 4-Minor   Google Analytics shows incorrect stats, when Google link is redirected.
935293-6 4-Minor   'Detected Violation' Field for event logs not showing
931033-2 4-Minor   Device ID Deletions anomaly might be raised in case of browser/hardware change
919001-3 4-Minor   Live Update: Update Available notification is shown twice in rare conditions
918097-4 4-Minor   Cookies set in the URI on Safari
911729-3 4-Minor   Redundant learning suggestion to set a Maximum Length when parameter is already at that value
907997-1 4-Minor   Source Policy Name instead of Current Policy used in Restore Policy Version
896285-1 4-Minor   No parent entity in suggestion to add predefined-filetype as allowed filetype
893905-1 4-Minor   Wrong redirect from Charts to Requests Log when request status selected in filter
887625-4 4-Minor   Note should be bold back, not red
746984-6 4-Minor   False positive evasion violation
908173-1 5-Cosmetic   Empty fields are shown in the policy version history


Application Visibility and Reporting Issues

ID Number Severity Solution Article(s) Description
934721-4 2-Critical   TMM core due to wrong assert
924945-4 3-Major   Fail to detach HTTP profile from virtual server
913085-2 3-Major   Avrd core when avrd process is stopped or restarted
908065-1 3-Major   Logrotation for /var/log/avr blocked by files with .1 suffix
902485-5 3-Major   Incorrect pool member concurrent connection value
898333-1 3-Major   Avrd logs errors while DCD is restarting
869049-3 3-Major   Charts discrepancy in AVR reports
841305-3 3-Major   HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log
648242-7 3-Major K73521040 Administrator users unable to access all partition via TMSH for AVR reports


Access Policy Manager Issues

ID Number Severity Solution Article(s) Description
910097-4 2-Critical   Changing per-request policy while tmm is under traffic load may drop heartbeats
904441-1 2-Critical   APM vs_score for GTM-APM load balancing is not calculated correctly
924857-3 3-Major   Logout URL with parameters resets TCP connection
924697-1 3-Major   VDI data plane performance degraded during frequent session statistic updates
924521-4 3-Major   OneConnect does not work when WEBSSO is enabled/configured.
907873-1 3-Major   Authentication tab is missing in VPE for RDG-RAP Access Policy type
891613-2 3-Major   RDP resource with user-defined address cannot be launched from webtop with modern customization
883577-5 3-Major   ACCESS::session irule command does not work in HTTP_RESPONSE event
842149-3 3-Major   Verified Accept for SSL Orchestrator
760629-6 3-Major   Remove Obsolete APM keys in BigDB
747020-3 3-Major   Requests that evaluate to same subsession can be processed concurrently
554228-10 3-Major   OneConnect does not work when WEBSSO is enabled/configured.
766017-7 4-Minor   [APM][LocalDB] Local user database instance name length check inconsistencies
747234-8 4-Minor   Macro policy does not find corresponding access-profile directly


WebAccelerator Issues

ID Number Severity Solution Article(s) Description
941961-1 3-Major   Upgrading system using WAM TCP profiles may prevent the configuration from loading


Service Provider Issues

ID Number Severity Solution Article(s) Description
901033-4 2-Critical   TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window
939529-1 3-Major   Branch parameter not parsed properly when topmost via header received with comma separated values
921441-3 3-Major   MR_INGRESS iRules that change diameter messages corrupt diam_msg
917637-4 3-Major   Tmm crash with ICAP filter
908477-1 3-Major   Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request
904373-4 3-Major   MRF GenericMessage: Implement limit to message queues size
898997-1 3-Major   GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes
895801-1 3-Major   Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted
891385-1 3-Major   Add support for URI protocol type "urn" in MRF SIP load balancing
876953-1 3-Major   Tmm crash while passing diameter traffic
817369-3 3-Major   TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.
916781-3 4-Minor   Validation error while attaching DoS profile to GTP virtual


Advanced Firewall Manager Issues

ID Number Severity Solution Article(s) Description
938165-3 2-Critical   TMM Core after attempted update of IP geolocation database file
935769-4 3-Major   Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time
918905-1 3-Major   PCCD restart loop when using more than 256 FQDN entries in Firewall Rules
915221-5 3-Major   DoS unconditionally logs MCP messages to /var/tmp/mcpd.out
910417-1 3-Major   TMM core may be seen when reattaching a vector to a DoS profile
905153-3 3-Major   HW offload of vector 22 (IPv6 Duplicate Extension Headers) not operational
857897-3 3-Major   Address and port lists are not searchable within the GUI
789857-4 3-Major   "TCP half open' reports drops made by LTM syn-cookies mitigation.
757279-4 3-Major   LDAP authenticated Firewall Manager role cannot edit firewall policies
716746-4 3-Major   Possible tmm restart when disabling single endpoint vector while attack is ongoing
935865-6 4-Minor   Rules that share the same name return invalid JSON via REST API
928665-3 4-Minor   Kernel nf_conntrack table might get full with large configurations.
928177-3 4-Minor   Syn-cookies might get enabled when performing multiple software upgrades.
920361-1 4-Minor   Standby device name sent in Traffic Statistics syslog/Splunk messages
803149-3 4-Minor   Flow Inspector cannot filter on IP address with non-default route_domain
906885-2 5-Cosmetic   Spelling mistake on AFM GUI Flow Inspector screen


Policy Enforcement Manager Issues

ID Number Severity Solution Article(s) Description
941169-5 3-Major   Subscriber Management is not working properly with IPv6 prefix flows.
911585-4 4-Minor   PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval


Carrier-Grade NAT Issues

ID Number Severity Solution Article(s) Description
928553-4 2-Critical   LSN64 with hairpinning can lead to a tmm core in rare circumstances
723658-7 2-Critical   TMM core when processing an unexpected remote session DB response.


Fraud Protection Services Issues

ID Number Severity Solution Article(s) Description
876581-1 3-Major   JavaScript engine file is empty if the original HTML page cached for too long
891729-1 4-Minor   Errors in datasyncd.log
940401-1 5-Cosmetic   Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'


Anomaly Detection Services Issues

ID Number Severity Solution Article(s) Description
914293-4 3-Major   TMM SIGSEGV and crash
915489-3 4-Minor   LTM Virtual Server Health is not affected by iRule Requests dropped


Traffic Classification Engine Issues

ID Number Severity Solution Article(s) Description
913453-6 2-Critical   URL Categorization: wr_urldbd cores while processing urlcat-query
901041-2 2-Critical   CEC update using incorrect method of determining number of blades in VIPRION chassis
887609-6 2-Critical   TMM crash when updating urldb blacklist
874677-4 2-Critical   Traffic Classification auto signature update fails from GUI


Device Management Issues

ID Number Severity Solution Article(s) Description
718796-6 2-Critical   IControl REST token issue after upgrade
760752-4 3-Major   Internal sync-change conflict after update to local users table
717174-4 3-Major   WebUI shows error: Error getting auth token from login provider


iApp Technology Issues

ID Number Severity Solution Article(s) Description
768085-6 4-Minor   Error in python script /usr/libexec/iAppsLX_save_pre line 79


Protocol Inspection Issues

ID Number Severity Solution Article(s) Description
825501-4 3-Major   IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.
778225-4 3-Major   vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host
760740-4 4-Minor   Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running

 

Known Issue details for BIG-IP v16.0.x

943641-2 : IKEv1 IPsec in interface-mode may fail to establish after ike-peer reconfig

Component: TMOS

Symptoms:
After changing an element of the ike-peer configuration, such as the pre-shared secret, the related IPsec interface mode tunnel can no longer forward packets into the tunnel.

Conditions:
-- IKEv1
-- IPsec policy in interface mode
-- Configuration change or a new configuration

Impact:
When the problem is exhibited on a BIG-IP Initiator, ISAKMP negotiation will fail to start when interesting traffic arrives. No messages are written to /var/log/racoon.log.

When the problem is exhibited on a BIG-IP Responder, the IPsec tunnel will successfully establish but the BIG-IP will fail to forward any interesting traffic into the established tunnel. No useful log messages are seen.

Note: "Interesting traffic" is packets that match a traffic-selector.

Workaround:
Run "bigstart restart tmm" or reboot.


943577-1 : Full sync failure for traffic-matching-criteria with port list under certain conditions

Component: TMOS

Symptoms:
Performing a full configuration sync with traffic-matching-criteria (TMC) under specific conditions fails with errors similar to:

err mcpd[6489]: 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127.
err mcpd[6489]: 01071488:3: Remote transaction for device group /Common/Failover to commit id 245 6869100131892804717 /Common/tmc-sync-2-bigip1.test 0 failed with error 01070710:3: Database error (13), Cannot update_indexes/checkpoint DB object, class:traffic_matching_criteria_port_update status:13 - EdbCfgObj.cpp, line 127..

Conditions:
This may occur on a full-load config sync (not an incremental sync)
On the device receiving the ConfigSync:
   - a traffic-matching-criteria is attached to a virtual server
   - the traffic-matching-criteria is using a port-list
On the device sourcing the ConfigSync:
   - the same traffic-matching-criteria is attached to the same virtual server
   - the original port-list is modified (e.g. a description is changed)
   - the TMC is changed to reference a _different_ port-list

Impact:
Unable to sync configurations.

Workaround:
Copy the "net port-list" and "ltm traffic-matching-criteria" objects from the source to target system, merge them with "tmsh load sys config merge", and then perform a force-full-load-push sync from source to target.


1. On the source system (the system whose configuration you want to sync to peer), extract the ltm traffic-matching-criteria and port-lists:

tmsh save sys config

(shopt -s nullglob; cat /config{/partitions/*,}/bigip{_base,}.conf) | \
    awk '
        BEGIN { p=0 }
        /^(ltm traffic-matching-criteria|net port-list) / { p=1 }
        /^}/ { if (p) { p=0; print } }
        { if (p) print; }
    ' > /var/tmp/portlists-and-tmcs.txt

2. Copy /var/tmp/portlists-and-tmcs.txt to the target system

3. On the target system, load that file:

    tmsh load sys config merge file /var/tmp/portlists-and-tmcs.txt

4. On the source system, force a full-load sync to the device-group:

    tmsh run cm config-sync force-full-load-push to-group <name of sync-group>


943473-1 : LDAP monitor's test functionality has an incorrect and non-modifiable IP field in GUI

Component: TMOS

Symptoms:
While trying to use the monitor test page in the GUI for an LDAP monitor, the destination address field has "*.*" as a value and it is not editable.

Conditions:
Create an LDAP monitor, and go to the Test page.

Impact:
You are unable to modify the test destination address for the LDAP monitor

Workaround:
Use TMSH command.
To run test:
tmsh run /ltm monitor ldap <LDAP-Monitor-Name> destination <IP-Address>
Example: tmsh run /ltm monitor ldap myldap destination 10.10.10.10:389

To check test result:
tmsh show /ltm monitor ldap <LDAP-Monitor-Name> test-result
tmsh show /ltm monitor ldap myldap test-result


943441-1 : Issues in verification of Bot Defense with Anti-Bot Mobile SDK™

Component: Application Security Manager

Symptoms:
Verification may be incomplete when using the Anti-Bot Mobile SDK™ with the Bot Defense profile.

Conditions:
Using the Bot Defense profile together with the Anti-Bot Mobile SDK™ and enabling the Mobile Applications section in the profile.

Impact:
Mobile application verification may be incomplete.

Workaround:
None


943109-1 : Mcpd crash when bulk deleting Bot Defense profiles

Component: TMOS

Symptoms:
When bulk deleting a large number of Bot Defense profiles (around 450 profiles) using TMSH, mcpd could crash.

Conditions:
This can be encountered during bulk delete of Bot Defenese profiles via tmsh.

Impact:
Crash of mcpd causing failover.

Workaround:
Delete the Bot Defense profiles in smaller batches to avoid the possible crash.


943045-3 : Inconsistency in node object name and node IPv6 address when IPv6 pool-member is created without providing node object name.

Component: TMOS

Symptoms:
When using Ansible to create a pool that contains an IPv6 pool member, you get an error:

0107003a:3: Pool member node and existing node cannot use the same IP Address .

Conditions:
-- Creating a new pool via Ansible
-- A new IPv6 pool member is used
-- The IPv6 pool member's name is not included

Impact:
Pool creation fails.

Workaround:
If you are unable to specify the pool member name, then you could use other available configuration tools like tmsh, the GUI, or AS3.


942921-1 : TMM leaking packets due to error handling

Component: Local Traffic Manager

Symptoms:
Packet and xdata memory consumption is increasing gradually.

Conditions:
-- Configure Network access and establish VPN tunnel.
-- Tunnel faces buffer overflow issues.

Impact:
TMM memory leak.

Workaround:
None


942549-1 : Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Component: TMOS

Symptoms:
During boot of a i15xxx system you see the message:

Dataplane INOPERABLE - Only 7 HSBs found. Expected 8

Conditions:
There are no specific conditions that cause the failure.
This can occur on any i15xxx device, although some devices exhibit the failure consistently around 50% of boots and others never exhibit the issue.

Impact:
When this failure occurs in a system, the system is inoperable.

Workaround:
There is no workaround for systems that do not have software capable of resetting the hardware device during the HSB load process.


942217-4 : Virtual server keeps rejecting connections for rstcause 'VIP down' even though virtual status is 'available'

Component: Local Traffic Manager

Symptoms:
With certain configurations, virtual server keeps rejecting connections for rstcause 'VIP down' after 'trigger' events.

Conditions:
Required Configuration:

-- On the virtual server, the service-down-immediate-action is set to 'reset' or 'drop'.

-- The pool member has rate-limit enabled.

Required Conditions:

-- Monitor flap, or adding/removing monitor or configuration change made with service-down-immediate-action.

-- At that time, one of the above events occur, the pool member's rate-limit is active.

Impact:
Virtual server keeps rejecting connections.

Workaround:
Delete one of the conditions.

Note: The affected virtual server may automatically recover upon the subsequent monitor flap, etc., if no rate-limit is activated at that time.


941961-1 : Upgrading system using WAM TCP profiles may prevent the configuration from loading

Component: WebAccelerator

Symptoms:
If a BIG-IP is on version 13.1.0 through 15.1.x and has profiles in use that use wam-tcp-wan-optimized and/or wam-tcp-lan-optimized as parent profiles, then when the configuration is upgraded to 16.0.0, the configuration fails to load, with an error similar to:

err mcpd[10087]: 01020036:3: The requested parent profile (/Common/wam-tcp-wan-optimized) was not found.

Conditions:
-- Upgrading from version 13.1.0 through 15.1.x.
-- Using profiles derived from wam-tcp-wan-optimized and/or wam-tcp-lan-optimized.

Impact:
Configuration does not load.

Workaround:
Remove these profiles and adjust the configuration elements that use them accordingly.

Here are two examples:

-- Copy the definition of 'wam-tcp-wan-optimized' from /defaults/wam_base.conf into /config/bigip.conf, and then reload the configuration.

-- Change the references to wam-tcp-wan-optimized to something else in your config file (e.g., tcp-wan-optimized), and then reload the configuration.


941929-3 : Google Analytics shows incorrect stats, when Google link is redirected.

Component: Application Security Manager

Symptoms:
When server respond with a redirect, ASM challenge makes Google Analytics stats appear as if they are 'Direct' instead of 'Organic'.

Conditions:
-- Google link is responded to (by the server) with a redirect.

-- Bot defense profile or DoS Application profile attached to a virtual server with challenge mitigation enabled.

Impact:
Incorrect data is displayed in the Google Analytics dashboard.

Workaround:
None


941853-5 : Logging Profiles do not disassociate from virtual server when multiple changes are made

Component: Application Security Manager

Symptoms:
When multiple Logging Profiles profile changes are made in a single update, the previous Logging Profiles are not disassociated from the virtual server. Additionally, when an Application Security Logging Profile change is made, newly added Protocol Security Logging Profile settings do not take effect.

Conditions:
Multiple Logging Profile changes are made in a single update.

Impact:
The previous Logging Profiles are not disassociated from the virtual server.

Workaround:
Perform each Log Profile change individually. For example, to change an Application Security Log Profile:
1. Remove the current association and save.
2. Add the new association and save again.


941169-5 : Subscriber Management is not working properly with IPv6 prefix flows.

Component: Policy Enforcement Manager

Symptoms:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted.

Conditions:
When IPv6 prefix flows are configured on PEM (i.e., sys db variable tmm.pem.session.ipv6.prefix.len is configured with a value other than 128).

Impact:
Flows for a PEM subscriber are not deleted from the system even after the subscriber is deleted. Resources are not released from the system.

Workaround:
None.


940837-3 : The iRule command node is not triggered in CLIENT_ACCEPTED with HTTP/2.

Component: Local Traffic Manager

Symptoms:
The node iRule command causes the specified server node to be used directly, thus bypassing any load-balancing. However, with HTTP/2, the node command may fail to execute within the CLIENT_ACCEPTED event. This results in no traffic being sent to configured node.

Conditions:
-- A node command is used under CLIENT_ACCEPTED event.
-- An HTTP/2 profile applied to virtual server.
-- The HTTP/2 protocol in use.

Impact:
With HTTP/2 configured, the iRule node command fails to execute within the CLIENT_ACCEPTED event, causing no traffic to be sent to the desired node.

Workaround:
As a workaround, you may use HTTP_REQUEST event instead of CLIENT_ACCEPTED in iRule syntax.


940733-4 : Downgrading a FIPS-enabled BIG-IP system results in a system halt

Component: Global Traffic Manager (DNS)

Symptoms:
After upgrading a FIPS-enabled BIG-IP system, booting to a partition running an earlier software version, which results in a libcrypto validation error and system halt.

Conditions:
-- FIPS-licensed BIG-IP system.
-- Upgrade.
-- Boot into an partition running an earlier version of the software.

Impact:
System boots to a halted state.

Workaround:
Before booting to the partition with the earlier version, delete /shared/bin/big3d.

Note: This issue might have ramifications for DNS/GTM support. DNS/GTM is not FIPS certified.


940401-1 : Mobile Security 'Rooting/Jailbreak Detection' now reads 'Rooting Detection'

Component: Fraud Protection Services

Symptoms:
MobileSafe SDK does not support iOS jailbreak detection, so the GUI should refer only to Android Rooting Detection.

Conditions:
-- Fraud Protection Service (FPS) provisioned.
-- FPS and MobileSafe Licensed.

Impact:
Introduces confusion when indicating that iOS jailbreak detection is supported, which it is not.

Workaround:
None.


939757-5 : Deleting a virtual server might not trigger route-injection update.

Component: TMOS

Symptoms:
When using multiple virtual-servers sharing the same destination address (virtual-address), deleting a single virtual-server that contributes to a virtual-address status might not trigger a route-injection update.

Conditions:
-- Multiple virtual-servers sharing the same destination address.
-- Virtual-server is deleted.

Impact:
Route remains in a routing table and/or Route is not removed from a routing table.

Workaround:
Disable and re-enable the virtual-address after deleting a virtual-server.


939541-1 : TMM may prematurely shut down during initialization when a lot of TMMs and interfaces are configured on a VE

Component: TMOS

Symptoms:
TMM may prematurely shut down (during its initialization) when several TMMs and interfaces are configured. The system logs messages in one or more TMM log files (/var/log/tmm*):
MCP connection aborted, exiting.

Conditions:
-- BIG-IP Virtual Edition (VE).
-- Happens during TMM startup.
-- The issue is intermittent, but is more likely to occur on systems with a lot of TMMs (more 20 in most cases) and several interfaces (approximately 8 or more).

Impact:
TMM shuts down prematurely. Traffic disrupted while tmm restarts. Possible deadlock and MCP restart loop requiring a full reboot of the BIG-IP device.

Workaround:
None.


939529-1 : Branch parameter not parsed properly when topmost via header received with comma separated values

Component: Service Provider

Symptoms:
MRF SIP in LoadBalancing Operation Mode inserts a VIA header to SIP request messages. This Via header is removed from the returned response message. The VIA header contains encrypted routing information to route the response message. The SIP specification states that INVITE/CANCEL messages in a dialogue should contain the same branch header. The code used to encrypt the branch field returns a different branch ID for INVITE and CANCEL messages.

Conditions:
-- Enabling SIP Via header insertion on the BIG-IP system.
-- SIP MRF profile.
-- Need to cancel an INVITE.
-- INVITE Via header received with multiple comma-separated values.

Impact:
Some SIP clients have code to verify the branch fields in the Via header. These clients expect the branch to be same for INVITE and CANCEL in a dialogue. Because the branch received is different, these clients are unable to identify the specific INVITE transaction. CANCEL is received and client sends a 481 error:

SIP/2.0 481 Call/Transaction Does Not Exist.

Workaround:
Use iRules to remove the topmost Via header and add new a new Via header that uses the same branch as INVITE and CANCEL while sending messages to SIP clients.


938309-1 : In-TMM Monitors time out unexpectedly

Component: Local Traffic Manager

Symptoms:
When using the in-TMM monitoring feature, monitored targets (nodes/pool members) may be marked DOWN unexpectedly if there is a delay in responding to ping attempts.
Specifically, if the ping response from the target is delayed by more than the 'interval' value configured for the monitor, but less than the 'timeout' value configured for the monitor, the target may be marked DOWN.

Conditions:
This may occur when either:
-- In-TMM monitoring is enabled (sys db bigd.tmm = enable) and the monitor type uses in-TMM monitoring; OR
-- Bigd is configured to NOT reuse the same socket across consecutive ping attempts (sys db bigd.reusesocket = disable)
AND:
-- The monitored target does not respond to ping attempts within the 'interval' value configured for the monitor.

Impact:
The monitored target may be marked DOWN if it does not respond to ping attempts within the 'interval' value configured for the monitor, instead of within the 'timeout' value configured for the monitor.

Workaround:
To work around this issue, use one of the following methods:
-- Disable in-TMM monitoring and enable bigd socket reuse (sys db bigd.tmm = disable, and sys db bigd.reusesocket = enable).
-- Configure the monitor with an 'interval' value longer than the expected response time for the monitored target(s).


938165-3 : TMM Core after attempted update of IP geolocation database file

Component: Advanced Firewall Manager

Symptoms:
TMM crashes while running traffic that uses AFM Firewall policies.

Conditions:
-- Update IP geolocation database file to the latest version.
-- Configure AFM policies with logging enabled.
-- Run traffic which hits the AFM policies and triggers logging.

Impact:
TMM restarts and causes high availability (HA) failover/traffic disruptions. Traffic disrupted while tmm restarts.

Workaround:
Revert to using the previously working version of the IP-geolocation file.


938145-2 : DAG redirects packets to non-existent tmm

Component: TMOS

Symptoms:
-- Connections to self-IP addresses may fail.
-- SYNs packets arrive but are never directed to the Linux host.

Conditions:
-- Provision as vCMP dedicated host.
-- Create a self-IP address with appropriate allow-service.

Impact:
Repeated attempts to connect to the self-IP (e.g., via ssh) fail.

Workaround:
None


937777-1 : The invalid configuration of using HTTP::payload in a PEM Policy may cause the TMM to crash.

Component: Local Traffic Manager

Symptoms:
The iRule command HTTP::payload is not supported for use within Policy Enforcement Manager (PEM) policies. Attempting to use this within your configuration may result in the TMM crashing.

Conditions:
-- Policy Enforcement Manager (PEM) policy containing the iRule command HTTP::payload

Impact:
Traffic disrupted while the TMM restarts.

Workaround:
Do not use the iRule command HTTP::payload within Policy Enforcement Manager (PEM) policies.


937649-1 : Flow fwd broken with statemirror.verify enabled and source-port preserve strict

Component: Local Traffic Manager

Symptoms:
Flow forwarding does not work with statemirror.verify enabled and source-port is preserve strict. Depending on the number of tmms and the IP addresses/ports on the network, this causes return traffic to get dropped.

Traffic captures show packets leaving the BIG-IP system on one tmm and being returned on another. The return traffic that encounters the second tmm is dropped.

Conditions:
-- Mirroring is enabled.
-- High availability (HA) peer is connected.
-- The source-port setting is preserve-strict.
-- The statemirror.verify option is enabled.
-- There is more than one tmm.

Impact:
Server-side return traffic to the BIG-IP is dropped. This causes connection timeouts and resets.

Workaround:
-- Disable statemirror.verify, disable source-port preserve-strict, disable mirroring.

-- On BIG-IP Virtual Edition (VE), add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes


936777-1 : Old local config is synced to other devices in the sync group.

Component: Global Traffic Manager (DNS)

Symptoms:
Newly added DNS/GTM device may sync old local config to other devices in the sync group.

Conditions:
Newly added DNS/GTM device has a more recent change than other devices in the sync group.

Impact:
Config on other DNS/GTM devices in the sync group are lost.

Workaround:
You can use either of the following workarounds:

-- Make a small DNS/GTM configuration change before adding new devices to the sync group.

-- Make a small DNS/GTM configuration change on the newly added device to re-sync the correct config to other DNS/GTM devices.


936557-1 : Retransmissions of the initial SYN segment on the BIG-IP system's server-side incorrectly use a non-zero acknowledgement number when Verified Accept is enabled.

Component: Local Traffic Manager

Symptoms:
As the BIG-IP system attempts to open a TCP connection to a server-side object (e.g., a pool member), retransmissions of the initial SYN segment incorrectly use a non-zero acknowledgement number.

Conditions:
This issue occurs when the following conditions are true:

-- Standard TCP virtual server.

-- TCP profile with Verified Accept enabled.

-- Receipt of the client's ACK (as part of the client-side TCP 3-way handshake) is delayed. Due to Verified Accept being enabled, this delay causes the BIG-IP system to retransmit its SYN to the server until the client's ACK is received.

Impact:
Depending on the specific server implementation, or the security devices present on the BIG-IP system's server-side before the server, a SYN containing a non-zero acknowledgement number may be rejected. In turn, this may cause connections to fail to establish.

Workaround:
If compatible with your application and specific needs, you can work around this issue by disabling Verified Accept in the TCP profile.


936417-4 : DNS/GTM daemon big3d does not accept ECDH or DH ciphers

Component: Global Traffic Manager (DNS)

Symptoms:
The DNS/GTM big3d daemon does not accept ECDH or DH ciphers.

Conditions:
Connections to big3d with ECDH or DH ciphers.

Impact:
ECDH/DH ciphers do not work with big3d.

Workaround:
Do not use ECDH/DH ciphers.


936361-2 : IPv6-based bind (named) views do not work

Component: Global Traffic Manager (DNS)

Symptoms:
Bind does not match IPv6 addresses configured for a zone view, and returns REFUSED responses, rather than the
expected answers.

After enabling debug logging in bind (see K14680), the apparent source address of the IPv6 DNS requests shows as being in the fe80::/96 range, rather than the IPv6 source address that sent the request.

For example:

debug 1: client @0x579bf188 fe80::201:23ff:fe45:6701%10#4299: no matching view in class 'IN'

Conditions:
- BIG-IP DNS is provsioned
- One or more ZoneRunner views is defined using IPv6 addresses.
- A DNS query is sent from an IPv6 source address

Impact:
You cannot use DNS views in bind (zonerunner) based on IPv6 addresses.

Workaround:
If possible, use only IPv4 addresses to define views for DNS queries


936093-1 : Non-empty fipserr files loaded from a UCS archive can cause a FIPS BIG-IP platform to remain offline

Component: TMOS

Symptoms:
Loading a UCS file with non-empty fipserr files can cause a FIPS-based system to remain offline.

Conditions:
-- Using a BIG-IP with a Platform FIPS license.
-- Loading a UCS file with a non-empty fipserr file.

Impact:
System is completely offline with spurious 'fipserr' failures, even after loading the UCS file.

Workaround:
Before creating a UCS archive, truncate the following files so they have zero size:

/config/f5_public/fipserr
/var/named/config/f5_public/fipserr
/var/dnscached/config/f5_public/fipserr

This can be accomplished using a command such as:

truncate -c -s0 /config/f5_public/fipserr /var/named/config/f5_public/fipserr /var/dnscached/config/f5_public/fipserr


935945-2 : GTM HTTP/HTTPS monitors cannot be modified via GUI

Component: Global Traffic Manager (DNS)

Symptoms:
GUI reports an error when modifying DNS/GTM HTTP/HTTPS monitors:

01020036:3: The requested monitor parameter (/Common/http-default 2 RECV_STATUS_CODE=) was not found.

Conditions:
RECV_STATUS_CODE has never been set for the DNS/GTM HTTP/HTTPS monitors.

Impact:
Not able to make changes to DNS/GTM HTTP/HTTPS monitors through GUI.

Workaround:
If 'recv-status-code' has never been set, use tmsh instead.

Note: You can set 'recv-status-code' using tmsh, for example:

   tmsh modify gtm monitor http http-default recv-status-code 200


935865-6 : Rules that share the same name return invalid JSON via REST API

Component: Advanced Firewall Manager

Symptoms:
When retrieving rule stats on a firewall policy, if two rules that share the same name but one of which is directly attached to the policy while the other is attached via a rule list, then a invalid JSON is returned. The JSON has identical keys for each entry associated with the rule. This is an invalid JSON structure that cannot be parsed correctly (Or data for one of the rules is lost)

Conditions:
A firewall policy that has one of rule directly attached to the policy while the other is attached via a rule list, and both rules share the same name.

Impact:
Invalid JSON structure returned for stat REST API call

Workaround:
Ensure that no rule shares its name with another rule.


935793-1 : With mirroring enabled on a SIP virtual server, connections on the standby are reset with MBLB internal error (Routing problem)

Component: Local Traffic Manager

Symptoms:
When a virtual server with a SIP profile has mirroring enabled, connections on the standby unit will be removed shortly after being created. If tm.rstcause.log is enabled the reset cause message appears similar to the following:

-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.208:5080 to 10.2.207.201:31597, [0x2c1c820:1673] MBLB internal error (Routing problem).
-- err tmm1[18383]: 01230140:3: RST sent from 10.2.207.209:51051 to 10.2.207.202:5080, [0x2c1c820:931] MBLB internal error.

Conditions:
-- BIG-IP Virtual Edition (VE) running on 2000/4000 platforms using RSS hash.
-- Platforms with more than 1 tmm.

Impact:
Mirrored connections on the standby unit are removed.

Workaround:
-- On BIG-IP VE, add the following to tmm_init.tcl on both units and restart tmm:
 ndal ignore_hw_dag yes


935769-4 : Upgrading / Rebooting BIG-IP with huge address-list configuration takes a long time

Component: Advanced Firewall Manager

Symptoms:
Version upgrade takes more time than usual when the config contains address-lists with a lot of IP addresses. The same delay will be observed with 'tmsh load sys config' as well.

Conditions:
-- Configure address-list with 10K to 20K IP addresses or address ranges or subnets.
-- Attempt upgrade / reboot of the platform.

Impact:
Version upgrade / 'tmsh load sys config' process takes a long time than usual.

Workaround:
1) Convert continuous individual addresses in the address-lists to IP address ranges and subnets if possible.

2) Remove the huge address-lists from config before the upgrade and add back after the upgrade process is finished.


935593-5 : Incorrect SYN re-transmission handling with FastL4 timestamp rewrite

Component: Local Traffic Manager

Symptoms:
FastL4 profiles configured with the TCP timestamp rewrite option enabled does not treat retransmitted SYNs in a correct manner.

Conditions:
FastL4 profile with TCP timestamp rewrite option is in use.

Impact:
Timestamp on some TCP packets sent by BIG-IP systems might be incorrect.

Workaround:
Do not use TCP timestamp rewrite.


935293-6 : 'Detected Violation' Field for event logs not showing

Component: Application Security Manager

Symptoms:
Violation is missing/details not populated in the event log page, when a POST request with large number of parameters are sent to the BIG IP system.

Conditions:
-- A large POST request with lots of parameters is sent to BIG-IP system.
-- 'Learn New Parameters' is enabled.

Impact:
You cannot see the violation details.

Workaround:
Disabling parameter learning helps.

Note: This happens only with a large number of parameters. Usually it works as expected.


935249-1 : GTM virtual servers have the wrong status

Component: Global Traffic Manager (DNS)

Symptoms:
GTM virtual servers have the wrong status (up when they should be down, or down when they should be up).

Conditions:
-- The GTM virtual servers are monitored with an HTTP or HTTPS monitor that performs HTTP status matching.

-- The status code (for example, 200) being searched for in the response appears elsewhere than in the first line (for example, in a following header).

Impact:
The system incorrectly matches the status code in a response line which is not the Status-Line. As a result, the availability status reported for a virtual server may be incorrect. This may cause the GTM system to send traffic to unsuitable resources causing application disruptions.

Workaround:
You can work around this issue by not performing HTTP status matching in your HTTP/HTTPS GTM monitors.


935193-2 : With APM and AFM provisioned, single logout ( SLO ) fails

Component: Local Traffic Manager

Symptoms:
SAML Single log out (SLO) fails on BIG-IP platforms
SAML module in BIG-IP throws following error messages:

SAML SSO: Error (12) Inflating SAML Single Logout Request
SAML SSO: Error (12) decoding SLO message
SAML SSO: Error (12) extracting SAML SLO message

Conditions:
Failures occur with Redirect SLO

Impact:
SAML single logout does not work

Workaround:
Use POST binding SLO requests


935177-1 : IPsec: Changing MTU or PMTU settings on interface mode tunnel cores tmm

Component: TMOS

Symptoms:
TMM crashes when the maximum transmission unit (MTU) or 'Use PMTU' setting is changed while passing IPsec traffic.

Conditions:
-- IPsec tunnel configured and passing traffic.
-- The MTU or 'Use PMTU' setting for the IPsec tunnel (in interface mode) is changed.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Do not change MTU or PMTU settings for the tunnel while it is passing traffic.


934993-1 : BIG-IP resets HTTP/2 connections when a peer exceeds a number of concurrent streams

Component: Local Traffic Manager

Symptoms:
The HTTP/2 protocol allows informing a peer about the number of concurrent streams it is allowed to have. When this number is exceeded, the RFC stipulates that the system must serve all open streams and then terminate a connection.

Conditions:
-- The BIG-IP system has a virtual server with an HTTP/2 profile configured on the client side.
-- A client opens more streams than a configured value for concurrent-streams-per-connection in HTTP/2 profile.

Impact:
BIG-IP resets a connection and a client (browser) does not receive any response for outstanding requests. It requires manually reload of the webpage to address the issue.

Workaround:
None.


934941-1 : Platform FIPS power-up self test failures not logged to console

Component: TMOS

Symptoms:
The BIG-IP system does not log FIPS power-up self-test failures to the console.

Conditions:
A FIPS failure occurs during the power-up self test.

Impact:
Platform FIPS failures are made more difficult to identify and diagnose, because the system console fails to include anything at all that indicates a failure.

Workaround:
None.


934721-4 : TMM core due to wrong assert

Component: Application Visibility and Reporting

Symptoms:
TMM crashes with a core

Conditions:
AFM and AVR provisioned and collecting ACL statistics.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the server-side statistics collection for the Network Firewall Rules using the following menu path:
Security ›› Reporting : Settings : Reporting Settings : Network Firewall Rules


934697-4 : Route domain not reachable (strict mode)

Component: Local Traffic Manager

Symptoms:
Network flows are reset and report errors in /var/log/ltm:

Route domain not reachable (strict mode).

Conditions:
-- LTM with iRules configured.
-- The iRule directs traffic to a node that is in a route domain.

Impact:
Traffic is not sent to the node that is in a route domain.

The iRule 'node' method requires a route_domain to be specified in order for the traffic to be sent to a node that is assigned to a route domain.

Workaround:
Specify the node along with Route domain ID.

Change from this:

when HTTP_REQUEST {
 node 10.10.10.10 80
}

To this (assuming route domain 1):

when HTTP_REQUEST {
 node 10.10.10.10%1 80
}


934241-1 : TMM may core when using FastL4's hardware offloading feature

Component: TMOS

Symptoms:
TMM cores.

Conditions:
FastL4's hardware offloading is used.

Because the error is an internal software logic implementation, there is no direct specific configuration that triggers this error condition. A quick traffic spike during a short period of time makes it more likely to occur.

Impact:
TMM cores and the system cannot process traffic. Traffic disrupted while tmm restarts.

Workaround:
Disable PVA/EPVA on all FastL4 profiles


934065-2 : The turboflex-low-latency and turboflex-dns are missing.

Component: TMOS

Symptoms:
The turboflex-low-latency and turboflex-dns profiles are no longer available in 15.1.x and 16.0.x software releases.

Conditions:
The turboflex-low-latency or turboflex-dns in use.

Impact:
Unable to configure turboflex-low-latency or turboflex-dns profiles after an upgrade to 15.1.x or 16.0.x software release.

Workaround:
None.


933461-5 : BGP multi-path candidate selection does not work properly in all cases.

Component: TMOS

Symptoms:
ZebOS BGP might not properly clear the multi-path candidate flag when handling a BGP route.

Conditions:
An inbound route-map exists that modifies a route's path selection attribute.

Impact:
Incorrect path selection and/or a timer on a route getting refreshed every time the Routing Information Base (RIB) is scanned.

Workaround:
None.


933329-1 : The process plane statistics do not accurately label some processes

Component: TMOS

Symptoms:
The plane process statistics can be used to track the statistics of processes even though the process ID has changed over time. The processes are characterized as belonging to the control plane, data plane, or analysis plane. Some of the processes are incorrectly labeled.

Conditions:
Viewing the plane process statistics when diagnosing plane usage on the BIG-IP system.

Impact:
The percentage of usage of each plane can be confusing or incorrect.

Workaround:
None.


932937-1 : HTTP Explicit Proxy configurations can result in connections hanging until idle timeout.

Component: Local Traffic Manager

Symptoms:
After an HTTP return code of 400 Bad Request or 403 Forbidden, connection table entries may not be removed from the connection table until they reach the idle timeout threshold.

Conditions:
-- HTTP Explicit Proxy Configuration.
-- BIG-IP HTTP response contains a 400 Bad Request or 403 Forbidden status code.

Impact:
The hanging connection table entries can cause subsequent connections from the same source port to fail. Also, the subsequent connection attempts can cause the idle timer to be reset.

Workaround:
Use an iRule to prevent connections from hanging:

when HTTP_REJECT {
    after 1
}


932857-1 : Delays marking Nodes or Pool Members DOWN with in-TMM monitoring

Component: Local Traffic Manager

Symptoms:
When configured with a large number of in-TMM monitors, Nodes or Pool Members may not be marked DOWN immediately after the configured timeout period once the target stops responding to pings.

Conditions:
This may occur when:
-- In-TMM monitoring is enabled (via sys db bigd.tmm).
-- A large number of Nodes and/or Pool Members (several hundreds or thousands) are configured and monitored.

Impact:
Nodes or Pool Members which are not responsive may not be marked DOWN in a timely fashion.

Workaround:
You can work around this issue by disabling in-TMM monitoring, at the expense of decreased monitoring performance (higher CPU usage by the bigd daemon).


932553-5 : An HTTP request is not served when a remote logging server is down

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide an option to sanitize HTTP traffic via the http_security profile. When the profile is configured to alarm on a violation, it is possible that a connection to the violating client is reset if a remote logging server is marked down.

Conditions:
-- A BIG-IP system has an HTTP profile and and an http_security profile with the alarm option set.
-- A remote logging server is configured via a BIG-IP pool.
-- The pool has a monitor that marks all the pool members down.
-- A request with an HTTP violation is processed and triggers an alarm configured in the http_security profile.

Impact:
-- A TCP connection to a client is reset by the BIG-IP system.
-- The web page may not render, or may not render as expected.
-- Data are not delivered to a server with a POST request.

Workaround:
None.


932497-2 : Autoscale groups require multiple syncs of datasync-global-dg

Component: TMOS

Symptoms:
Datasync-global-dg is in 'sync pending' status and is not automatically synced as expected.

Conditions:
Browser Challenges update image is automatically downloaded.

Impact:
Peers are not synced.

Workaround:
Manually sync datasync-global-db group.


932461-4 : Cert update on server SSL profile on HTTPS monitor: BIG-IP not using the updated certificate.

Component: Local Traffic Manager

Symptoms:
If you overwrite the certificate that is configured on the server SSL profile and used with the HTTPS monitor, the BIG-IP system still uses an old certificate.

After you update the certificate, the stored certificate is incremented, but monitor logging indicates it is still using the old certificate.

Conditions:
--Create a pool with an HTTPS pool member.
--Create an HTTPS monitor with cert and key.
--Assign the HTTPS monitor to the HTTPS pool.
--Update the certificate via GUI or tmsh.

Impact:
The monitor still tries to use the old certificate, even after the update.

Workaround:
Use either of the following workarounds:

-- Restart bigd:
bigstart restart bigd

-- Modify the server SSL profile cert key, set it to 'none', and switch back to the original cert key name.

The bigd utility successfully loads the new certificate file.


932437-1 : Loading SCF file does not restore files from tar file

Component: TMOS

Symptoms:
Loading an SCF configuration file does not restore file objects from the SCF's associated tar file.

Restoring the SCF fails with an error similar to this if the running configuration does not already contain the file:

01070712:3: Failed: name (/Common/test-crt) Cache path (/config/filestore/files_d/Common_d/certificate_d/:Common:test-crt) does not exist and there is no copy in trash-bin to restore from.
Unexpected Error: Loading configuration process failed.

Conditions:
Restore an SCF archive that references file objects, e.g.:
-- SSL certificates
-- SSL keys
-- iFiles

Impact:
Restoring SCF does not restore contents of file objects.

Workaround:
None.


932233-1 : '@' no longer valid in SNMP community strings

Component: TMOS

Symptoms:
The '@' character is no longer valid in SNMP community strings.

Conditions:
Attempting to use the '@' character in SNMP community strings.

Impact:
Unable to use the '@' character in SNMP community strings. The system cannot process SNMP commands with community strings that contain the '@' character, and the commands fail.

Workaround:
Use a community string that does not contain the '@' character.


932045-4 : Memory leak with umem_alloc_80 through creating/deleting LTM node object

Component: Local Traffic Manager

Symptoms:
Memory leak in umem_alloc_80 through creating/deleting an LTM node object.

Conditions:
-- Create a node object.
-- Delete the node object.

Impact:
This gradually causes tmm memory pressure, and eventually severe outcome is possible such as aggressive swiper and tmm restart. Traffic disrupted while tmm restarts.

Workaround:
Refrain continuous creation/deletion of LTM nodes.


931629-4 : External trunk fdb entries might end up with internal MAC addresses.

Component: TMOS

Symptoms:
The vCMP host might have external trunk with internal MAC addresses. This is visible via 'tmsh show net fdb'.

Conditions:
-- vCMP is provisioned and has guests deployed on it.
-- vCMP host uses trunks.
-- Create VLANs using trunks and assign it to guests.
-- Guests need to be in high availability (HA) configuration.

Impact:
Traffic processing is disrupted.

Workaround:
None.


931469-8 : Redundant socket close when half-open monitor pings

Component: Local Traffic Manager

Symptoms:
Sockets and log files are closed and re-opened twice instead of one time when the half-open TCP monitor pings successfully.

Conditions:
This occurs when the half-open monitor pings successfully.

Impact:
Minor performance impact.

Workaround:
None.


931149-2 : Some RESOLV::lookup queries, including PTR lookups for RFC1918 addresses, return empty strings

Component: Global Traffic Manager (DNS)

Symptoms:
RESOLV::lookup returns an empty string.

Conditions:
The name being looked up falls into one of these categories:

-- Forward DNS lookups in these zones:
    - localhost
    - onion
    - test
    - invalid

-- Reverse DNS lookups for:
    - 127.0.0.0/8
    - ::1
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/16
    - 0.0.0.0/8
    - 169.254.0.0/16
    - 192.0.2.0/24
    - 198.51.100.0/24
    - 203.0.113.0/24
    - 255.255.255.255/32
    - 100.64.0.0/10
    - fd00::/8
    - fe80::/10
    - 2001:db8::/32
    - ::/64

Impact:
RESOLV::lookup fails.

Workaround:
Use a DNS Resolver ('net dns') and RESOLVER::name_lookup / DNSMSG:: instead of RESOLV::lookup:

1. Configure a local 'net dns' resolver, replacing '192.88.99.1' with the IP address of your DNS resolver:

    tmsh create net dns-resolver resolver-for-irules answer-default-zones no forward-zones add { . { nameservers add { 192.88.99.1:53 } } }

2. Use an iRule procedure similar to this to perform PTR lookups for IPv4 addresses:

proc resolv_ptr_v4 { addr_v4 } {
    # Convert $addr_v4 into its constituent bytes
    set ret [scan $addr_v4 {%d.%d.%d.%d} a b c d]
    if { $ret != 4 } {
        return
    }

    # Perform a PTR lookup on the IP address $addr_v4, and return the first answer
    set ret [RESOLVER::name_lookup "/Common/resolver-for-irules" "$d.$c.$b.$a.in-addr.arpa" PTR]
    set ret [lindex [DNSMSG::section $ret answer] 0]
    if { $ret eq "" } {
        # log local0.warn "DNS PTR lookup for $addr_v4 failed."
        return
    }

    # Last element in '1.1.1.10.in-addr.arpa. 600 IN PTR otters.example.com'
    return [lindex $ret end]
}

-- In an iRule, instead of:
    RESOLV::lookup @192.88.9.1 $ipv4_addr
Use:
    call resolv_ptr_v4 $ipv4_addr


931033-2 : Device ID Deletions anomaly might be raised in case of browser/hardware change

Component: Application Security Manager

Symptoms:
-- Valid users complain they are unable to connect, or they are required to do CAPTCHA frequently.
-- On the BIG-IP device, 'Device ID Deletion' violations are being raised.

Conditions:
-- Bot Defense Profile with 'Device ID' mode set to 'Generate After Access' is attached to the virtual server.
-- Some change in the browser or computer hardware occurs.
-- Surfing to multiple qualified pages at the same time.

Impact:
Valid requests might be mitigated.

Workaround:
Raise the threshold of 'Device ID Deletion' anomaly (recommended value according to the webserver, is approximately 4).


930825-5 : System should reboot (rather than restart services) when it sees a large number of HSB XLMAC errors

Component: TMOS

Symptoms:
The following symptoms may be seen when the HSB is experiencing a large number of XLMAC errors and is unable to recover from the errors. After attempting XLMAC recovery fails, the current behavior is to failover to the peer unit and go-offline and down links.

This can be seen the TMM logs:
-- notice The number of the HSB XLMAC recovery operation 11 or fcs failover count 0 reached threshold 11 on bus: 3.
-- notice HA failover action is triggered due to XLMAC/FCS errors on HSB1 on bus 3.
-- notice HSBE2 1 disable XLMAC TX/RX at runtime.
-- notice HA failover action is cleared.

Followed by a failover event.

Conditions:
It is unknown under what conditions the XLMAC errors occur.

Impact:
The BIG-IP system fails over.

Workaround:
Modify the default high availability (HA) action for the switchboard-failsafe to reboot instead of go offline and down links.


930005-1 : Recover previous QUIC cwnd value on spurious loss

Component: Local Traffic Manager

Symptoms:
If a QUIC packet is deemed lost, but an ACK for it is then received, the cwnd is halved despite there being no actual packet loss. Packet reordering can cause this situation to occur.

Conditions:
A QUIC packet is deemed lost, and an ACK for it is received before the ACK of its retransmission.

Impact:
Inefficient use of bandwidth in the presence of packet reordering.

Workaround:
None.


929429-1 : Oracle database monitor uses excessive CPU when FIPS is licensed

Component: Local Traffic Manager

Symptoms:
Whenever you create Oracle monitors, and add a member to the monitor, every time the OpenSSL libraries are loaded for a new connection, high CPU usage occurs.

Conditions:
-- Create an Oracle LTM.
-- Add a pool member to the Oracle monitor created.
-- FIPS is licensed.

Impact:
High CPU Usage due to the loading of libraries whenever new connection is created.

Workaround:
None.


929077-3 : Bot Defense Whitelist does not apply when using default Route Domain and XFF header

Component: Application Security Manager

Symptoms:
When configuring an IP address whitelist in Bot Defense Profile, using a default Route Domain, and sending a request with an X-Forwarded-For header the request might not be whitelisted.

Conditions:
-- Bot Defense Profile is attached to virtual server.
-- Bot Defense Profile has an IP address whitelist configured.
-- Using default Route Domain.
-- Sending a request with X-Forwarded-For header.
-- Might require heavy traffic.

Impact:
Request from a whitelisted IP address is blocked.

Workaround:
Whitelist the IP address using an iRule.


928857-1 : Use of OCSP responder may leak X509 store instances

Component: Local Traffic Manager

Symptoms:
The use of OCSP responder may cause X509 certificate store instances to be leaked, eventually causing memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_compat memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


928805-1 : Use of OCSP responder may cause memory leakage

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause small amounts of SSL memory to be leaked, eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM SSL memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart. Traffic disrupted while tmm restarts.

Workaround:
No workaround.


928789-1 : Use of OCSP responder may leak SSL handshake instances

Component: Local Traffic Manager

Symptoms:
Use of OCSP responder may cause SSL handshake instances to be leaked eventually leading to memory pressure.

Conditions:
OCSP responder configured.

Impact:
TMM ssl_hs memory usage grows over time, eventually causing memory pressure, and potentially a traffic outage due to TMM restart.

Workaround:
No workaround.


928697-1 : Incorrect logging of proposal payloads from remote peer during IKE_SA_INIT

Component: TMOS

Symptoms:
When debug mode is enabled, racoon2 logs packet payloads during IKE negotiation. When multiple proposals are present in an IKE_SA_INIT packet, the logging of the proposal payloads is incorrect.

Conditions:
The initiator sends more than one proposal.

Impact:
Diagnosing connection issues is more difficult.

Workaround:
During debugging, ignore IKE_SA_INIT packet dump in the logs.


928665-3 : Kernel nf_conntrack table might get full with large configurations.

Component: Advanced Firewall Manager

Symptoms:
Linux host connections are unreliable, and you see warning messages in /var/log/kern.log:

warning kernel: : [182365.380925] nf_conntrack: table full, dropping packet.

Conditions:
This can occur during normal operation for configurations with a large number of monitors, for example, 15 KB active entries.

Impact:
Monitors are unstable/not working at all.

Workaround:
1. Modify /etc/modprobe.d/f5-platform-el7-conntrack-default.conf
increasing the hashsize value:

options nf_conntrack hashsize=262144

2. Save the file.
3. Reboot the system.


928553-4 : LSN64 with hairpinning can lead to a tmm core in rare circumstances

Component: Carrier-Grade NAT

Symptoms:
LSN64 with hairpinning configured can lead to a tmm core in rare circumstances.

Conditions:
- LSN64 virtual server.
- Hairpinning enabled.
- FLOW_INIT iRule.
- Full proxy config.

Impact:
Tmm cores. Traffic disrupted while tmm restarts.

Workaround:
Disable full proxy config of hairpinning.


928389-1 : GUI become inaccessible after importing certificate under import type 'certificate'

Component: TMOS

Symptoms:
Current implementation causes httpd down and makes the GUI inaccessible as soon as you import a new cert.

Conditions:
Upload new cert using Import-type 'Certificate' option.

Impact:
The GUI inaccessible as soon as you import a cert using import-type 'Certificate'.

Workaround:
Manually copy the correct key.


928353-1 : Error logged installing Engineering Hotfix: Argument isn't numeric

Component: TMOS

Symptoms:
When installing an Engineering Hotfix, the following error may be logged in /var/log/liveinstall.log:

Argument "" isn't numeric in numeric eq (==) at /var/tmp/install/pkgcpio/usr/local/lib/tm_install/Hotfix.pm line 651.

Conditions:
This error may occur when installing an Engineering Hotfix, if the Engineering Hotfix does not include an update to the nash-initrd component.

Impact:
The error message gives a mistaken impression that the Engineering Hotfix did not install successfully. However, it does install correctly, and the system operates without issue. You can safely ignore this message.

Workaround:
None.


928177-3 : Syn-cookies might get enabled when performing multiple software upgrades.

Component: Advanced Firewall Manager

Symptoms:
Syn-cookie protection of FastL4/TCP profile might get enabled when performing multiple software upgrades.

Conditions:
-- Performing an upgrade from version earlier than 14.0.0 to a version higher than or equal to 14.0.0.
-- Then performing another upgrade.

Impact:
Value of profile attribute syn-cookie-enable might be changed during an upgrade.

Workaround:
Save configuration before starting each upgrade.


927941-6 : IPv6 static route BFD does not come up after OAMD restart

Component: TMOS

Symptoms:
The Bidirectional Forwarding Detection (BFD) session for an IPv6 static route is not shown in response to the command:
imish -e "show bfd session"

Conditions:
-- BFD is configured with static route IPv6.
-- Restart the oamd process.

Impact:
BFD session is not shown in 'show bfd session'.

Workaround:
Restart tmrouted:
bigstart restart tmrouted


927713-3 : Secondary blade IPsec SAs lost after standby reboot using clsh reboot

Component: Local Traffic Manager

Symptoms:
-- When 'clsh reboot' is executed on the primary blade, it internally calls ssh reboot on all secondary blades and then reboots the primary blade. The 'clsh reboot' script hangs, and there is a delay in rebooting the primary blade.
-- Running 'ssh reboot' on secondary blades hangs due to sshd sessions getting killed after network interface down.

Conditions:
-- Running 'clsh reboot' on the primary blade.
-- Running 'ssh reboot' on secondary blades.

Impact:
Secondary blade IPSec Security Associations (SAs) are lost, resulting in SA sync issues.

Workaround:
Perform a reboot from the GUI.


927633-1 : Failure path in external datagroup internal mapping operation failure may result in 'entry != NULL' panic

Component: Local Traffic Manager

Symptoms:
Log messages written to /var/log/ltm:
-- notice tmm2[30394]: 01010259:5: External Datagroup (/Common/dg1) queued for update.
-- notice panic: ../kern/sys.c:1081: Assertion "entry != NULL" failed.

Conditions:
-- Create datagroups.
-- Some condition causes a datagroup to not be present (e.g., delete, rename operations, or another, internal operation).
-- Load the config.

Impact:
Internal mapping of external datagroup fails. Datagroup creation fails.

Workaround:
None.


927569-1 : HTTP/3 rejects subsequent partial SETTINGS frames

Component: Local Traffic Manager

Symptoms:
HTTP/3 aborts the connection upon receipt of a 'second' SETTINGS frame.

Conditions:
HTTP/3 first receives an incomplete SETTINGS frame, followed by more SETTINGS frame bytes.

Impact:
Connection fails to complete.

Workaround:
None.


927441-4 : Guest user not able to see virtual server details when ASM policy attached

Component: TMOS

Symptoms:
When ASM is attached to a Virtual Server, a BIG-IP user account configured with the Guest role cannot see virtual server details. An error message is printed instead:
01070823:3: Read Access Denied: user (guestuser) type (GTM virtual score).

Conditions:
-- ASM Policy attached to virtual server.
-- Logging onto the BIG-IP system using an account configured with the guest user role.
-- Running the command:
tmsh show ltm virtual detail

Impact:
Cannot view virtual server details.

Workaround:
None.


927033-3 : Installer fails to calculate disk size of destination volume

Component: TMOS

Symptoms:
Installation fails with a 'Disk full (volume group)' error in var/log/liveinstall.log:

error: tm_install::Process::Process_full_install -- predicted size for BIGIP14125 is 12315728, current location size is 11120640, and vg has 0 remaining.

Conditions:
Platforms with software RAID that also have a symlink in /dev/md that looks like the following:

[root@bigip1] images # ls -l /dev/md/
total 8
-rw-r--r--. 1 root root 5 2020-07-09 16:12 autorebuild.pid
lrwxrwxrwx. 1 root root 8 2020-07-09 16:51 localhost:0 -> ../md127
-rw-------. 1 root root 66 2020-07-09 16:11 md-device-map

Impact:
Unable to successfully upgrade.

Workaround:
Create the expected symlink manually:

cd /dev/md
ln -s ../md127 _none_\:0


926997-2 : QUIC HANDSHAKE_DONE profile statistics are not reset

Component: Local Traffic Manager

Symptoms:
QUIC HANDSHAKE_DONE profile statistics are not set back to 0 when statistics are reset.

Conditions:
A QUIC virtual server receives or sends HANDSHAKE_DONE frames, and the profile statistics are later reset.

Impact:
QUIC HANDSHAKE_DONE profile statistics are not reset.

Workaround:
Restart tmm to reset all statistics:

Impact of Workaround: Traffic disrupted while tmm restarts.

bigstart restart tmm


926985-1 : HTTP/3 aborts stream on incomplete frame headers

Component: Local Traffic Manager

Symptoms:
HTTP/3 streams abort at seemingly arbitrary times when BIG-IP is receiving large amounts of data.

Conditions:
HTTP/3 receives an incomplete frame header on a given stream.

Impact:
Data transfer is incomplete.

Workaround:
None


926929-4 : RFC Compliance Enforcement lacks configuration availability

Component: Local Traffic Manager

Symptoms:
Earlier versions contained fixes that enforce several RFC compliance items for HTTP requests and response processing by BIG-IP systems. Enforcement for some of these items is unavoidable, but might cause issues for certain applications.

Conditions:
The configuration has a virtual server with an HTTP profile.

Impact:
Some applications that allows certain constructions after a header name may not function.

Workaround:
None.


926757-3 : ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Component: Local Traffic Manager

Symptoms:
ICMP traffic to a disabled virtual-address might be handled by a virtual-server.

Conditions:
Virtual-server with an address space overlapping with a self-IP, capable of handling ICMP traffic, for example:
ip-forward wildcard 0.0.0.0/0 virtual-server

Impact:
ICMP traffic to a virtual-address might be handled by a virtual-server.

Workaround:
There is no workaround.


926593-1 : GTM/DNS: big3d gateway_icmp probe for IPv6 incorrectly returns 'state: timeout'

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS gateway_icmp monitor for IPv6 virtual servers sometimes returns 'state: timeout' even though big3d receives the packet successfully.

Conditions:
- GTM/DNS provisioned.
- IPv6 virtual server with gateway_icmp GTM/DNS monitor.

Impact:
IPv6 virtual servers are marked down unexpectedly.

Workaround:
Use a different gtm monitor type than gateway_icmp for IPv6 targets


926513-1 : HTTP/2 clone pool fails to receive traffic with the clone pool (server) option selected.

Component: Local Traffic Manager

Symptoms:
HTTP/2 Clone pools are not working when the Clone Pool (Server) option is selected. This issue occurs when a HTTP/2 profile (Server) or HTTP/2 full-proxy configuration is enabled and an HTTP/2 clone pool is set on a virtual server. This issue prevents traffic from being copied to the appropriate clone pool member.

Conditions:
A virtual server provisioned with the following configuration:

--HTTP/2 default pool.
--HTTP/2 clone pool (server).
--HTTP/2 profile (server) or HTTP/2 profile full-proxy configuration.

Impact:
Clone pools (server) do not mirror HTTP/2 traffic.

Workaround:
None.


925797-1 : Full config sync fails and mcpd memory usage is very high on the receiving device with thousands of FQDN pools members

Component: TMOS

Symptoms:
There there are thousands of FQDN nodes and thousands of pools that have FQDN pool members, mcpd can run out of memory during a full config sync.

The mcpd process might fail and restart or it might remain running but have its virtual memory so fragmented that queries to mcpd might fail to allocate memory.

One of signs that this has occurred is a non-zero free_fail count in the tmstat table vmem_kstat.

Conditions:
-- Thousands of FQDN nodes
-- Thousands of pools with FQDN pool members
-- Full config sync.

Impact:
-- The mcpd process might restart.
-- The config save operation fails:
tmsh save /sys config fails
-- Other queries to mcpd fail.

Workaround:
None.


924945-4 : Fail to detach HTTP profile from virtual server

Component: Application Visibility and Reporting

Symptoms:
The virtual server might stay attached to the initial HTTP profile.

Conditions:
Attaching new HTTP profiles or just detaching an existing one.

Impact:
The virtual server stays attached to the former HTTP profile, meaning that the virtual server might be attached to a different HTTP profile than what the GUI displays. Configuration changes to the HTTP profile the GUI shows as attached are not reflected in the virtual server. For example, the new HTTP profile might enable XFF, but if the former attached profile does not enable it, the virtual server does not accept XFF.

Workaround:
Create new similar virtual server and attach it to the correct HTTP profile.


924857-3 : Logout URL with parameters resets TCP connection

Component: Access Policy Manager

Symptoms:
TCP connection reset when 'Logout URI Include' configured.

Conditions:
-- Access Policy with a valid 'Logout URI Include' string, e.g.:
 /logoff.html
-- Request to 'Logout URI Include' URI from user-agent that includes a query parameter string, e.g.:
 /logoff.html?a=b

Impact:
TCP connection resets, reporting BIG-IP APM error messages.

'Logout URI Include' does not support custom query strings in logout URIs to include. For example, with a 'Logout URI Include' value of /logoff.html, if a user-agent sends a logout URI request in the form of /logoff.html?a=b, logout URI validation resets the connection and reports an error:
-- Access encountered error: ERR_ARG. File: ../modules/hudfilter/access/access.c, Function: access_check_uri_type.


Note: BIG-IP APM prohibits the configuration of 'Logout URI Include' from containing a query string on the BIG-IP system. For example, attempting to configure 'Logout URI Include' with a URI in the form of /logoff.html?a=b fails and displays error messages:
-- Configuration error: Configured URI (/logoff.html?a=b) is not allowed to contain query parameter.

Workaround:
None


924697-1 : VDI data plane performance degraded during frequent session statistic updates

Component: Access Policy Manager

Symptoms:
Data plane performance for VDI use cases (Citrix/VMware proxy) is degraded during frequent access session statistic updates.

Conditions:
APM is used as VDI proxy for Citrix or VMware.

Impact:
APM's VDI proxy does not perform to its full capacity.

Workaround:
None.


924521-4 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and does not reuse pooled connections.

Conditions:
Virtual server configured with both a WEBSSO and a OneConnect profile.

Impact:
Idle server-side connections that should be eligible for reuse by the virtual server are not used. This might lead to buildup of idle server-side connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.


924493-1 : VMware EULA has been updated

Component: TMOS

Symptoms:
The End User License Agreement (EULA) presented in VMware is out of date.

Conditions:
The EULA is presented to the user when deploying an OVF template.

Impact:
The current EULA is version: DOC-0355-16 (as explained in K12902: End User License Agreement Change Notice :: https://support.f5.com/csp/article/K12902).

Although the OVA EULA for 16.0.0 shows: DOC-0355-12, the EULA presented during license activation is the EULA in force for this instance, so you can safely ignore the discrepancy; there is no functional impact.

Workaround:
None needed. The EULA presented during license activation is the EULA in force for this instance.


924429-1 : Some large UCS archives may fail to restore due to the system reporting incorrect free disk space values

Component: TMOS

Symptoms:
While restoring a UCS archive, you get an error similar to the following example:

/var: Not enough free space
535162880 bytes required
326418432 bytes available
/shared/my.ucs: Not enough free disk space to install!
Operation aborted.
/var/tmp/configsync.spec: Error installing package
Config install aborted.
Unexpected Error: UCS loading process failed.

As part of restoring UCS archives, some files (for example, the contents of the filestore) are temporarily copied to the /var/tmp directory.

The script that ensures enough free disk space is available for the UCS restore operation incorrectly reports the /var filesystem's free disk space for the /var/tmp directory.

This is incorrect, as /var/tmp is a symlink to /shared/tmp, and so the free disk space of the /shared filesystem should be used instead.

Conditions:
-- Restoring a UCS file.
-- The UCS file contains large items that are temporarily stored under the /var/tmp directory (for example, many EPSEC files, many large external data-groups, etc.).
-- The /var filesystem has limited free disk space.

Impact:
The UCS installation fails even if /var/tmp has sufficient disk space.

Workaround:
None.


923745-4 : Ctrl-Alt-Del reboots the system

Component: TMOS

Symptoms:
A device reboot occurs when pressing Ctrl-Alt-Del.

Conditions:
This occurs when pressing Ctrl-Alt-Del or sending the command to a BIG-IP Virtual Edition (VE) virtual console.

Impact:
Accidental reboots are possible. You should not reboot VE using Ctrl-Alt-Del.

Workaround:
Run the following command:

systemctl mask ctrl-alt-del.target


923221-2 : BD does not use all the CPU cores

Component: Application Security Manager

Symptoms:
Not all the CPUs are utilized. The CPUs that are not loaded are those with ID greater than 31.

Conditions:
BIG-IP is installed on a device with more than 32 cores.

Impact:
ASM does not use all of the available CPU cores.

Workaround:
1. Modify the following file on the BIG-IP system:
   /usr/local/share/perl5/F5/ProcessHandler.pm

Change this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFF'

To this:
  ALL_CPUS_AFFINITY => '0xFFFFFFFFFFFF',

2. Restart the asm process:
   bigstart restart asm.


922885-1 : BIG-IP Virtual Edition does not pass traffic on ESXi 6.5

Component: TMOS

Symptoms:
BIG-IP Virtual Edition (VE) does not pass traffic when deployed on ESXi 6.5 hypervisors, when the VE is using VMXNET 3 network interfaces (VMXNET 3 interfaces are the default).

'tmsh show net interface' indicates that one or more interfaces are not initialized.

Conditions:
-- BIG-IP VE running on VMware ESXi 6.5 hypervisor.

Impact:
Traffic does not pass through non-mgmt interfaces.

Workaround:
-- On the BIG-IP systems, you can switch to the 'sock' driver.

Note: The workarounds that switch driver must be applied individually to devices, as they do not synchronize via ConfigSync.

IMPORTANT: The driver must be configured the same way on all devices in a sync-failover device group.

1, At the command prompt, run the following command to enable the sock driver in tmm_init.tcl:

echo "device driver vendor_dev 15ad:07b0 sock" >> tmm_init.tcl

2. Restart tmm:

tmsh restart sys service tmm

-- After restarting, the sock driver should be listed in the 'driver_in_use' column when running the following command.

tmctl -d blade tmm/device_probed
pci_bdf pseudo_name type available_drivers driver_in_use
------------ ----------- --------- --------------------- -------------
0000:03:00.0 F5DEV_PCI xnet, vmxnet3, sock,
0000:0b:00.0 1.1 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:13:00.0 1.2 F5DEV_PCI xnet, vmxnet3, sock, sock
0000:1b:00.0 1.3 F5DEV_PCI xnet, vmxnet3, sock, sock


922641-5 : Any iRules that park in a clientside or serverside command leave the iRule attached to the wrong flow

Component: Local Traffic Manager

Symptoms:
iRule commands issued after a clientside or serverside command operate on the wrong peer flow.

Conditions:
An iRule contains a script that parks in a clientside or serverside command.

Examples of parking commands include 'table' and 'persist'.

Impact:
The iRule commands operate on the wrong peer flow.

Workaround:
Avoid using commands that park inside the clientside or serverside command.


922613-3 : Tunnels using autolasthop might drop traffic with ICMP route unreachable

Component: TMOS

Symptoms:
Traffic that should be encapsulated and sent via tunnel might get dropped with an ICMP error, destination unreachable, unreachable route. This happens in a scenario where no route exists towards the remote tunnel endpoint and the BIG-IP system relies on autolasthop to send the encapsulated traffic back to the other end of the tunnel.

Conditions:
No route exists to the other end of the tunnel.

Impact:
Traffic dropped with ICMP error, destination unreachable, unreachable route.

Workaround:
Create a route towards the other remote end of the tunnel.


922413-1 : Excessive memory consumption with ntlmconnpool configured

Component: Local Traffic Manager

Symptoms:
OneConnect allows load balancing of HTTP requests from the same client connection over a pool of server side connections. When NTLM authentication is used, the NTLM Conn Pool allows reuse of server-side connections for authenticated client side connections. It holds HTTP authentication headers which is no longer necessary once a client is authenticated.

Conditions:
-- The virtual server is configured with both OneConnect and NTLM Conn Pool profiles.
-- A large number of client systems with NTLM authentication are load balanced via the virtual server with long-lived connections.

Impact:
The BIG-IP system experiences memory pressure, which may result in an out-of-memory condition and a process crash, and potentially cause failover and interruption of traffic processing.

Workaround:
None.


922297-1 : TMM does not start when using more than 11 interfaces with more than 11 vCPUs

Component: TMOS

Symptoms:
TMM may not start when using more than 11 network interfaces with more than 11 vCPUs configured.

In /var/log/tmm it can be seen that tmm0 is waiting for another TMM, e.g.:

-- notice ixlv(1.1)[0:5.0]: Waiting for tmm10 to reach state 1...

In the TMM log for that TMM, it can be seen that it is waiting for tmm0, e.g.:

-- notice ixlv(1.10)[0:6.0]: Waiting for tmm0 to reach state 2...

Conditions:
-- BIG-IP Virtual Edition (VE).
-- More than 11 interfaces configured.
-- More than 11 vCPUs configured.

Impact:
TMM does not start.

Workaround:
Configure fewer network interfaces or vCPUs.


922261-1 : WebSocket server messages are logged even it is not configured

Component: Application Security Manager

Symptoms:
BIG-IP systems send unexpected WebSocket server messages to the remote logging server.

Conditions:
-- ASM provisioned.
-- ASM policy and WebSocket profile attached to a virtual server.
-- More than one remote logging profile is attached to a virtual server.
-- One of the remote loggers has response-logging=all.

Impact:
Remote logging server overloaded with unexpected WebSocket messages.

Workaround:
Set response-logging=illegal in all remote logging profiles.


922185-2 : No support for LDAP referrals for ' cert-ldap system-auth'

Component: TMOS

Symptoms:
When using cert-ldap auth source, the only way to globally disable the referrals is to manually edit the /nslcd.conf file

Conditions:
Using cert-ldap auth source.

Impact:
The cert-ldap authentication does not work.

Workaround:
Manually edit the /etc/nslcd.conf and set the referrals to no.


922153-1 : Tcpdump is failing on tmm 0.x interfaces

Component: TMOS

Symptoms:
The tcpdump command exits immediately with an error:
 errbuf ERROR:TMM side closing: Aborted
tcpdump: pcap_loop: TMM side closing: Aborted

Conditions:
Capturing the packets on tmm interfaces.

Impact:
Unable to capture the packets on specific tmm interfaces.

Workaround:
There are two possible workarounds:

-- Start tcpdump on the tmm that actually owns the interface using the TCPDUMP_ADDR command; for example, using blade1 for 1/0.16, run the command:

TCPDUMP_ADDR=127.1.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16


-- Send the TCPDUMP_ADDR command to a specific tmm, which could work from any blade (127.20.<slot>.<tmmnumber+1> (e.g. 127.20.1.1 == slot1/tmm0, 127.20.2.16 == slot2/tmm15):

TCPDUMP_ADDR=127.20.1.16 tcpdump -w testcap.pcap -s 0 -i 1/0.16


922005-2 : Stats on a certain counter for web-acceleration profile may show excessive value

Component: Local Traffic Manager

Symptoms:
When the BIG-IP system is configured to use the RAM Cache feature, a corresponding profile may report an excessively large value for the cache_misses_all counter under certain conditions.

Conditions:
-- The BIG-IP system has a virtual server with web-acceleration profile without an application (RAM Cache feature).
-- The virtual receives uncacheable requests which are interrupted by a client or are not served by a server.

Impact:
A value for cache_misses_all incurs an arithmetic overflow, and shows an excessive number comparable with 1.8e19. The issue has no functional impact; the system operates as normal.

Workaround:
None.


921881-1 : Use of IPFIX log destination can result in increased CPU utilization

Component: TMOS

Symptoms:
-- Increased baseline CPU.

- The memory_usage_stats table shows a continuous increase in mds_* rows.

Conditions:
Configure IPFIX log destination and make regular changes to the associated configuration.

Impact:
Increased baseline CPU may result in exhaustion of CPU resources.

Workaround:
Limiting changes to associated configuration can slow the effects of this issue.


921677-1 : Deletion of bot-related ordered items via tmsh might cause errors when adding new items via GUI.

Component: Application Security Manager

Symptoms:
When deleting (via tmsh) bot-related ordered list items like bot white-lists, bot-microservices, and bot-microservices URLs, an error occurs when adding and saving new items via GUI:

Bot defense profile <profile full name> error: match-order should be unique.

Conditions:
1.Create three items with consecutive match-orders values via tmsh, for example: three bot whitelist items, the first with match-order 1, the second with match-order 2, and the third with match-order 3.

2. Delete item with the value: match-order 2 (in tmsh), and save.

3. Switch to the GUI, add new whitelist item, and save.

Impact:
The system reports an error, and the bot configuration cannot be saved via GUI. However, dragging between items (and then dragging back) overcomes this error.

Workaround:
Drag between two items, and then drag back.


921625-1 : The certs extend function does not work for GTM/DNS sync group

Component: Global Traffic Manager (DNS)

Symptoms:
When GTM/DNS systems in the same sync group receive the error 'SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca', these systems cannot automatically connect to BIG-IP devices with which that GTM/DNS device has not already exchanged a SSL cert.

As part of normal functionality, when one GTM/DNS tries to connect to a BIG-IP server and receives 'unknown ca' SSL error, if its peer GTM/DNS has already built a connection with that BIG-IP server, then the second GTM/DNS system should also be able to connect to that BIG-IP server automatically. But it cannot because of this issue.

The problem exists only when the GTM/DNS device has not exchanged a cert with the BIG-IP server object, and there are two or more certs in /config/httpd/conf/ssl.crt/server.crt on that GTM/DNS device.

You might see messages similar to the following:

-- iqmgmt_ssl_connect: SSL error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca.
-- err gtmd[28112]: 011ae0fa:3: iqmgmt_ssl_connect: SSL error: error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca (336151576).
-- notice gtmd[28112]: 011ae03d:5: Probe to 10.10.0.3: buffer = <direct><![CDATA[<clientcert><ip>10.10.0.10</ip><target_ip>10.10.0.6</target_ip><cert>....

Conditions:
-- /config/httpd/conf/ssl.crt/server.crt file with two or more certs on the requesting GTM/DNS device.
-- Configuration is as follows:
   1. GTMDNS1 and GTMDNS2 are in a same GTM/DNS sync group.
   2. GTMDNS1 has a self-authorized CA cert.
   3. You add a BIG-IP server that is is reachable but with which GTMDNS1 has not exchanged SSL certs.

Impact:
Certain GTM/DNS systems in the sync group cannot automatically connect to BIG-IP devices as expected. You must run additional bigip_add commands on those GTM/DNS systems in the GTM/DNS sync group to add the BIG-IP server.

Workaround:
Run bigip_add on each GTM/DNS server to add the configured BIG-IP servers.


921549-3 : The gtmd process does not receive updates from local big3d.

Component: Global Traffic Manager (DNS)

Symptoms:
Oversized server.crt file causes gtmd (other devices in a same syncgroup) from receiving from local big3d.

Conditions:
One GTM/DNS device in the syncgroup has an oversized server.crt file (approximately 4000 or larger) and sends a client cert direct message to peer GTM/DNS devices.

Impact:
The gtmd process marks resources down unexpectedly and does not receive persist updates.

Workaround:
1. For each GTM/DNS device, use bigip_add to add all BIG-IP servers configured in bigip_gtm.conf file.
2. Restart each GTM/DNS that is affected.


921541-2 : When certain sized payloads are gzipped, the resulting payload is chunked, incorrect, and is never delivered to the client due to missing end of chunk marker.

Component: Local Traffic Manager

Symptoms:
The HTTP session initiated by curl hangs.

Conditions:
-- The problem occurs when the file to be compressed meets the following criteria:
-- The following platforms with Intel QAT are affected:
   + B4450N (A114)
   + i4000 (C115)
   + i10000 (C116/C127)
   + i7000 (C118)
   + i5000 (C119)
   + i11000 (C123)
   + i11000 (C124)
   + i15000 (D116)
-- File size to be compressed is less than compression.qat.dispatchsize.
-- File size to be compressed is one of specific numbers from this list: 65535, 32768, 16384, 8192, 4096.

Impact:
Connection hangs, times out, and resets.

Workaround:
Use software compression.


921477-1 : Health monitors may fail when the HTTP RFC Compliance option is enabled in a dual BIG-IP setup.

Component: Local Traffic Manager

Symptoms:
With the HTTP RFC enforcement profile option enabled, incoming health monitor requests without an HTTP version in the request line (HTTP/0.9) may fail to produce the correct result for dual BIG-IP configurations. This can result in incoming health monitor traffic being incorrectly blocked when traveling through a virtual server. These health monitors will be unable to provide the correct availability of the intended resource. The default HTTP and HTTPS monitors as well as any custom monitors with a missing HTTP version in their requests could see this issue.

Conditions:
A dual BIG-IP configuration may provisioned with the following considerations.

-- One or more BIG-IP systems are in the network path for monitor traffic.

-- The first BIG-IP system uses a health monitor that initiates a health check request (without an HTTP version) in the request line (HTTP/0.9) against a second BIG-IP system.

-- The second (downstream) BIG-IP system has a virtual server that is the endpoint for the monitor. The virtual server is configured with an HTTP profile with the HTTP RFC Compliance profile option selected.

Impact:
Rather than receiving the correct health check result, the original BIG-IP system can fail to report whether the second BIG-IP is available.

Workaround:
You can use http_head_f5 monitor to perform health checks.


921441-3 : MR_INGRESS iRules that change diameter messages corrupt diam_msg

Component: Service Provider

Symptoms:
-- 'DIAMETER::host origin' command may not be set correctly.

There are errors in ltm/log:
err tmm[18562]: 014c0001:3: DIAMETER: hud_diam_handle error: Not found

Conditions:
-- Virtual server is configured with a diameter profile enabled with an ingress iRule, for example:

ltm rule Diameter - iRule {
  when MR_INGRESS {
    DIAMETER:: host origin "hostname.realm.example"
  }
}

-- Traffic arrives containing CER and ULR messages.

Impact:
Using the iRule to change the host origin corrupts the diameter message.

Workaround:
None.


921361-3 : SSL client and SSL server profile names truncated in GUI

Component: TMOS

Symptoms:
Unable to see the full name of the SSL client and SSL server profiles when assigning them in the GUI.

Conditions:
In Local Traffic :: Virtual Server :: Properties, the fields for the 'Selected' and 'Available' lists are narrower than they were in previous versions.

Impact:
With longer SSL profile names, the full name is not visible. Even the default, provided profiles, such as crypto-server-default-clientssl and crypto-client-default-serverssl, are truncated.

Note: The fields remain at the limited width even when the browser window is maximized.

Workaround:
Use tmsh to see the full SSL client and SSL server name.


921149-4 : After applying static bandwidth controller on a virtual server, any changes to the virtual server disassociates the BWC policy

Component: TMOS

Symptoms:
All Bandwidth Controller (BWC) stats are 0 (zero) even though traffic is passing.

Conditions:
-- A BWC policy is attached to a virtual server.
-- The virtual server's description is changed.

Impact:
The system disassociates the BWC policy from the virtual server. Traffic is no longer throttled according to the policy rules.

Workaround:
To reattach the policy, detach the Bandwidth Controller policy from the virtual server, and then reapply it.


921121-5 : Tmm crash with iRule and a PEM Policy with BWC Enabled

Component: TMOS

Symptoms:
Tmm crashes while passing traffic through PEM.

Conditions:
-- PEM policy with bandwidth controller.
-- iRule makes a traffic decision based on certain unique PEM sessions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


921065-2 : BIG-IP systems not responding to DPD requests from initiator after failover

Component: TMOS

Symptoms:
After failover, the active BIG-IP system fails to respond to DPD requests from some of its eNB neighbors, which results in deletion of IKE tunnel peer as well as the BIG-IP system.

Conditions:
-- The BIG-IP is configured with more than 300 IKE/IPsec tunnels.
-- The BIG-IP system fails over.

Impact:
Since BIG-IP systems do not respond to DPD requests, eNB deletes the IKE tunnel after a few retries.

Workaround:
None.


920961-1 : Devices incorrectly report 'In Sync' after an incremental sync

Component: Application Security Manager

Symptoms:
The security policies assigned to a virtual server are different among the devices in a traffic-group.

Conditions:
-- ASM provisioned.
-- Manual Sync Active-Standby Failover Device Group with ASM sync enabled.
-- An L7 ASM security policy is manually changed on a virtual server (not using the ASM wizard).

Impact:
After incremental sync, devices report 'In Sync' but there is a configuration discrepancy in the security policy assigned to the virtual server.

Workaround:
Modify the underlying LTM policy to be 'legacy':
   # tmsh modify ltm policy <LTM Policy Name> legacy


920817-7 : DNS Resource Records can be lost in certain circumstances

Component: Global Traffic Manager (DNS)

Symptoms:
DNS Zone syncing is missing Resource Records.

Conditions:
This occurs when a large number of configuration changes, including Wide IP changes, are made simultaneously on multiple GTM/DNS devices in a sync group.

Impact:
DNS Resource Records can be missing from the BIND DNS database.

The impact of this is that if GSLB Load Balancing falls back to BIND, the DNS Resource Records may not be present.

Workaround:
Restrict configuration (Wide IP) changes to one GTM/DNS device in a device group.

Note: It is also possible to turn off Zone Syncing. GTM/DNS configuration is still synced, but the you lose the ability to sync non-Wide IP changes to the BIND DB. If you do not utilize ZoneRunner to add additional non-Wide IP records, this is a problem only when GSLB resorts to Fallback to BIND. This can be mitigated with DNSX and DNS (off device) for non Wide IP Resource Records.


920789-1 : UDP commands in iRules executed during FLOW_INIT event fail

Component: Local Traffic Manager

Symptoms:
UDP commands in iRules executed during FLOW_INIT event fail.

Conditions:
An iRule that contains UDP commands is executed on the FLOW_INIT event.

Impact:
UDP commands in iRules executed during FLOW_INIT event fail.

Workaround:
None.


920761-1 : Changing a virtual server type in the GUI may change some options; changing back to the original type does not restore original values

Component: TMOS

Symptoms:
In the GUI if you change a virtual server from one type to another, there may be changes automatically applied to some of the settings. If you change the type back to its original value, those changes remain, and are saved when you click Update.

Conditions:
-- Modifying a virtual server from one type to another, and then changing it back to the original type.
-- Clicking Update.

Impact:
Unexpected configuration changes, which can lead to unexpected behavior of the BIG-IP system.

Workaround:
To prevent unwanted changes, when you change a virtual server's type and then change it back within the same session, click Cancel instead of Update.


920517-1 : Rate Shaping Rate Class 'Queue Method' and 'Drop Policy' defaults are incorrect in the GUI

Component: TMOS

Symptoms:
When creating a Rate Shaping Rate Class in the GUI, the default values for 'Queue Method' and 'Drop Policy' are not correct.

Conditions:
-- Creating a Rate Shaping Rate Class in the GUI.
-- Leaving 'Queue Method' and 'Drop Policy' settings as their defaults.

Impact:
Unexpected values in the configuration: 'Queue Method' is 'sfq' and 'Drop Policy' is 'tail'.

Workaround:
You can use either of the following workarounds:

-- Manually set the 'Queue Method' and 'Drop Policy' when creating a Rate Shaping Rate Class object. These settings are available in the 'Advanced' view of the 'General Properties' section. 'Queue Method' should be 'pfifo' and 'Drop Policy' should be 'fred'.

-- Use TMSH to create Rate Shaping Rate Class objects.


920361-1 : Standby device name sent in Traffic Statistics syslog/Splunk messages

Component: Advanced Firewall Manager

Symptoms:
'Traffic Statistics' syslog/Splunk messages are sent with the hostname of the standby device.

Conditions:
When a virtual server is configured with a security logging profile enabled for DoS Protection logging.

Impact:
'Traffic Statistics' syslog/Splunk messages show the wrong hostname. It should show the active device hostname.

Workaround:
None.


920205-3 : Rate shaping might suppress TCP RST

Component: Local Traffic Manager

Symptoms:
When rate shaping is configured, the system might suppress TCP RSTs issued by itself.

Conditions:
Rate shaping is configured.

Impact:
The rate-shaping instance drops TCP RSTs; the endpoint is not informed about the ungraceful shutdown.

Workaround:
Do not use rate-shaping.


920197-4 : Brute force mitigation can stop mitigating without a notification

Component: Application Security Manager

Symptoms:
A brute force attack coming from an entity (such as an IP address, etc.) may be stopped prematurely.

Conditions:
-- Many brute force attacks are happening at once, coming from many sources.
-- Distributed attack is not detected (due to configuration).

Impact:
At some point, an entity might not be mitigated due to the sheer number of mitigated entities. When this occurs, there is no notification.

Workaround:
None.


919861-2 : Tunnel Static Forwarding Table does not show entries per page

Component: TMOS

Symptoms:
On the Network :: Tunnels page of the GUI, if the Tunnel Static Forwarding Table contains more than one page of data, you are unable to advance past the first page.

Conditions:
Tunnel Static Forwarding Table contains a large number of configured tunnels.

Impact:
The content displayed on screen and does not conform to the system preference for Records Per Screen.

Workaround:
None.


919745-1 : CSV files downloaded from the Dashboard have the first row with all 'NaN

Component: TMOS

Symptoms:
In the Dashboard .csv file, all of the values in the first row are set to 'NaN'

Conditions:
This is encountered when loading the downloaded Dashboard .csv files with historical data from the GUI.

Impact:
The first row of the downloaded .csv from Dashboard shows all the values as 'NaN'.

Workaround:
None.


919553-1 : GTM/DNS monitors based on the TCP protocol may fail to mark a service up when the server's response spans multiple packets.

Component: Global Traffic Manager (DNS)

Symptoms:
GTM/DNS monitors based on the TCP protocol may fail to find the configured receive string in the server's response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when the server's response spans multiple packets (for example, when the response is particularly large or includes dynamically generated content delivered in chunks).

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by ensuring your server returns a response to the BIG-IP GTM/DNS's monitor that fits in one packet.


919401-1 : Disallow adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in TMSH when ICAP is not licensed

Component: TMOS

Symptoms:
If ICAP is not licensed, the system does not prevent you from adding Request Adapt Profiles and Response Adapt Profiles to virtual servers in the CLI. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.


919317-6 : NSM consumes 100% CPU processing nexthops for recursive ECMP routes

Component: TMOS

Symptoms:
The NSM process might enter a state where it gets stuck at 100% CPU usage.

Conditions:
ECMP routes reachable via recursive nexthops.

Impact:
NSM is stuck at 100% CPU usage.

Workaround:
Avoid using EMCP routes reachable via recursive nexthops.


919185-1 : Request adapt and response adapt profile options should not be available in the GUI when ICAP is not licensed

Component: TMOS

Symptoms:
The Request Adapt Profile and Response Adapt Profile settings are visible when creating or editing a virtual server in the GUI on systems that do not have ICAP licensed. If these profiles are configured, traffic does not pass through the virtual server and the following error is reported in /var/log/ltm:

crit tmm[3328]: 01010022:2: ICAP feature not licensed

Conditions:
-- ICAP is not licensed.
-- At least one virtual server has been configured with a Request Adapt Profile and/or a Response Adapt Profile.

Impact:
Traffic does not pass through the affected virtual servers.

Workaround:
Remove any configured Request Adapt Profiles and Response Adapt Profiles from virtual servers.


919001-3 : Live Update: Update Available notification is shown twice in rare conditions

Component: Application Security Manager

Symptoms:
When entering Live Update page, sometimes Update Available notification is shown twice.

Conditions:
You first enters Live Update page.

Impact:
Notification is shown twice.

Workaround:
None.


918905-1 : PCCD restart loop when using more than 256 FQDN entries in Firewall Rules

Component: Advanced Firewall Manager

Symptoms:
PCCD enters a restart loop, until the configuration is changed such that 256 or fewer FQDN entries are in use.

Conditions:
Greater than 256 FQDN entries are in use in Firewall Rules.

Impact:
PCCD restart loop. PCCD is not functional until there are 256 or fewer entries.

Workaround:
Use 256 or fewer FQDN entries in Firewall Rules.

To aid in the removal of extra rules when using tmsh, you can prevent PCCD restart messages from flooding the console:
1. Stop PCCD to halt the restart messages:
bigstart stop pccd
2. Modify the configuration.
3. Bring PCCD back up:
bigstart start pccd


918693-5 : Wide IP alias validation error during sync or config load

Component: Global Traffic Manager (DNS)

Symptoms:
DB validation exception occurs during sync or config load:

01070734:3: Configuration error: DB validation exception, unique constraint violation on table (gtm_wideip_alias) object ID (1 /Common/alias.test.com www.test.com). A duplicate value was received for a non-primary key unique index field. DB exception text (Cannot update_indexes/checkpoint DB object, class:gtm_wideip_alias status:13)
Unexpected Error: Loading configuration process failed.

Conditions:
-- Wide IP has an alias associated with it.
-- Sync or load the config.

Impact:
You are unable to load config or full sync from peer GNS/GTM.

Workaround:
Follow this procedure:
1. Delete the wide IP alias on the destination device.
2. Try the sync or load config operation again.


918597-6 : Under certain conditions, deleting a topology record can result in a crash.

Component: Global Traffic Manager (DNS)

Symptoms:
During a topology load balancing decision, TMM can crash.

Conditions:
-- Topology records are deleted.
-- A load balancing decision using topology load balancing occurs.

Impact:
On very rare occasions, TMM can crash. Traffic disrupted while tmm restarts.

Workaround:
None.


918409-1 : BIG-IP i15600 / i15800 does not monitor all tmm processes for heartbeat failures

Component: TMOS

Symptoms:
If a BIG-IP device has more than 24 tmm instances and one of the tmm processes above the 24th cpu loops (e.g., in response to an internal issue), it loops indefinitely.

Conditions:
-- BIG-IP i15600 / i15800 platforms.
-- Another issue occurs that that causes a tmm process greater than the 24th tmm process to loop.

Impact:
Traffic disrupted on the tmm process that is looping indefinitely.

Workaround:
1. Manually change /defaults/daemon.conf to include the appropriate tmm number and respective heartbeat action if the supported tmm is not listed.

Note: The change does not persist across software installs.

    a. mount -o remount,rw /usr
    b. Edit /defaults/daemon.conf and put these contents at the top of the file:

sys daemon-ha tmm24 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm25 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm26 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}
sys daemon-ha tmm27 {
    description none
    heartbeat enabled
    heartbeat-action go-offline-downlinks-restart
    running enabled
    running-timeout 2
}

    c. mount -o remount,ro /usr

2. After performing the edit, load the changes into the running configuration via 'tmsh load sys config partitions all'.
3. Verify that sod is now correctly monitoring tmm instances above tmm24 using a command such as:

    tmsh show sys ha-status all-properties | grep "daemon-heartbeat" | grep tmm


918277-1 : Slow Ramp does not take into account pool members' ratio weights

Component: Local Traffic Manager

Symptoms:
When a pool member is within its slow-ramp period, and is a member of a pool that uses a static-ratio-based load balancing algorithm, its ratio weight is not taken into account when balancing connections to it. If it has a ratio that is higher than other pool members, this can result in a sudden influx of connections once the pool member exits the slow-ramp period.

Conditions:
-- Pool with a non-zero slow-ramp timeout and a static-ratio-based load balancing algorithm.
-- Pool members within the pool have different ratio weights.
-- At least one pool member is inside its slow-ramp period.

Impact:
The pool member could still be overwhelmed despite the attempt to slow-ramp connections to it.

Workaround:
None.


918209-4 : GUI Network Map icons color scheme is not section 508 compliant

Component: TMOS

Symptoms:
Network Map color scheme is not compliant with Section 508 of the Rehabilitation Act (section 508). There is no clear difference between a green/active node and the blue/square items. With the new system colors and flat shapes, the icons are nearly identical. Other than shape (circle vs. square), the new colors appear identical; the blue and green are nearly appearing as one color.

Conditions:
Accessing Network Map from GUI via Local Traffic :: Network Map.

Impact:
There is no clear color difference between a green/active node icon and the blue/square icon.

Workaround:
None.


918169-4 : The GTM/DNS HTTPS monitor may fail to mark a service up when the SSL session undergoes an unclean shutdown.

Component: Global Traffic Manager (DNS)

Symptoms:
The GTM/DNS HTTPS monitor may fail to find the configured receive string in a HTTP response, causing the monitored service to be incorrectly marked down.

Conditions:
This issue occurs when all of the following conditions are true:

-- The server being monitored performs an unclean shutdown of the SSL session (the underlying TCP connection is closed without first issuing a close notify alert at the SSL level).

-- The server's HTTP response does not terminate with a newline.

Impact:
A service is incorrectly marked down. This can cause the BIG-IP GTM/DNS to return a suboptimal answer or no answer at all to DNS queries.

Workaround:
This issue can be worked around by performing any one of the following actions:

-- Ensure the server issues a close notify alert before it closes the underlying TCP connection.

-- Ensure the server's HTTP response ends with a newline.


918097-4 : Cookies set in the URI on Safari

Component: Application Security Manager

Symptoms:
When Bot Defense performs a 307 Redirect, the cookie is set on the URL if Bot Defense detects the Safari browser.

Conditions:
-- Bot Defense profile is attached to virtual server.
-- 'Browser Verification' set to 'Verify Before Access' or 'Verify After Access'.
-- 'Cross Domain Requests' set to 'Validate Upon Request'.
-- Surfing on Safari browser to a related domain.

Impact:
A cookie is set on the URL.

Workaround:
None.


918081-2 : Application Security Administrator role cannot create parent policy in the GUI

Component: Application Security Manager

Symptoms:
In the GUI, for the Application Security Administrator role, when you create a new ASM policy, the Policy Type is greyed out and the parent policy cannot be created

Conditions:
-- Create user account with the Application Security Administrator user role.
-- Use that account to logon to the GUI and try to create/edit the parent policy.

Impact:
The following actions are restricted to accounts with roles Application Security Administrator:
-- Create/Edit parent policy.
-- Edit Inheritance Settings for parent policy.
-- Clone Policy, selecting policy type is disabled.

Workaround:
There are two possible workarounds:
-- Have the Administrator or Resource Administrator create a parent policy instead of the Application Security Administrator.
-- Create parent policy using tmsh or REST call.


917637-4 : Tmm crash with ICAP filter

Component: Service Provider

Symptoms:
Tmm crashes while passing traffic.

Conditions:
-- Per-request policies configured.
-- ICAP is configured.

This is rare condition that occurs intermittently.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


916781-3 : Validation error while attaching DoS profile to GTP virtual

Component: Service Provider

Symptoms:
Validation error is observed while attaching DoS security profile to GPRS Tunneling Protocol (GTP) virtual server.

Conditions:
Attach DoS security profile to GTP virtual server.

Impact:
Validation error. Cannot attach DoS profile to GTP virtual server.

Workaround:
None.


916753-1 : RESOLV::lookup returns empty string when querying against a local virtual server, and results in possible tmm core

Component: Global Traffic Manager (DNS)

Symptoms:
-- RESOLV::lookup returns an empty string.
-- TMM might crash.

Conditions:
An iRule runs RESOLV::lookup targeting the query toward a local virtual server. For instance:

    RESOLV::lookup @/Common/my_dns_virtual www.example.com

Impact:
RESOLV::lookup does not return the expected result;
tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
In the RESOLV::lookup command, replace the name of the virtual server with its IP address, or the IP address of an external DNS server.

For instance, if /Common/my_dns_virtual has destination 192.0.2.53:53:

instead of this: RESOLV::lookup @/Common/my_dns_virtual
use this: RESOLV::lookup @192.0.2.53


916589-1 : QUIC drops 0RTT packets if CID length changes

Component: Local Traffic Manager

Symptoms:
QUIC sometimes rejects valid 0RTT packets.

Conditions:
-- QUIC enabled.
-- The Connection ID length assigned by the client for the server's CID does not match what the server assigned.

Impact:
QUIC drops 0RTT packets. Lost 0RTT packets increase latency.

Workaround:
None.


916485-3 : Tmsh install sys crypto key (SafeNet) command creates a duplicate mcp object

Component: Local Traffic Manager

Symptoms:
Running 'tmsh install sys crypto key' command for SafeNet keys creates a new mcp object with the keyname as the label name in HSM, and with the duplicate key-id.

Conditions:
This happens when trying to install the key using the key-label as the argument.

Impact:
Even after deleting the tmsh key (tmsh delete sys crypto key), the BIG-IP system can still pass traffic because there's a duplicate key pointing to the same key in the HSM.

Workaround:
None.


915829-3 : Particular Users unable to login with LDAP Authentication Provider

Component: TMOS

Symptoms:
With LDAP as authentication provider, some administrative users are unable to login to BIG-IP.

Conditions:
-- LDAP remote authentication.
-- Certain users, whose characteristics have not been identified.

Impact:
Certain client users cannot login to administer the BIG-IP system.

Workaround:
None.


915825-1 : Configuration error caused by Drafts folder in a deleted custom partition while upgrading.

Component: TMOS

Symptoms:
A configuration error occurs during upgrade due to custom partition-associated Draft folder, which exists in configuration file after deleting a custom partition.

Configuration error: Can't associate folder (/User/Drafts) folder does not exist.

Conditions:
This occurs in the following scenario:

1. Create Partition.
2. Create Policy under that partition.
3. Delete Policy.
4. Delete Partition.
5. Upgrade.

Impact:
Upgrade fails when a Drafts folder exists under the custom partition folder, if the custom partition is deleted.

Workaround:
Manually remove the stale folders in the configuration file, or use a script to remove them.


915713-1 : Support QUIC and HTTP3 draft-29

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-27 and draft-28. IETF has released draft-29.

Conditions:
Browser requests draft-29.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.


915689-2 : HTTP/2 dynamic header table may fail to identify indexed headers on the response side.

Component: Local Traffic Manager

Symptoms:
Some HTTP/2 response headers may be added to the dynamic header table even if this header is already stored in the table. Instead of subsequent responses using the correct dynamic header table index, these headers may be continually seen as being incrementally indexed.

Conditions:
-- HTTP/2 clientside profile.
-- Concurrent HTTP/2 responses contain headers.

Impact:
Select HTTP/2 response headers may fail to use the dynamic header table index. These headers are incrementally indexed on subsequent responses instead of using the existing table index.

Workaround:
None.


915605-2 : Image install fails if iRulesLX is provisioned and /usr mounted read-write

Component: Local Traffic Manager

Symptoms:
If iRulesLX is provisioned the /usr mount points are mounted as read-write. This causes the installation of an image to fail.

tmsh show software status will report the status for the target volume:

Could not access configuration source.

Conditions:
-- iRulesLX is provisioned.
-- The /usr mount points are mounted as read-write.
-- Attempt an installation or upgrade.

Impact:
Unable to upgrade or more generally install an image on a new or existing volume.

Workaround:
Re-mount /usr as read-only:

mount -o remount,ro /usr


915557-1 : The pool statistics GUI page fails (General database error retrieving information.) when filtering on pool status.

Component: TMOS

Symptoms:
When using the pool statistics GUI page, the page stops displaying and the GUI shows the following error:

General database error retrieving information.

Conditions:
You attempt to apply a Status filter (e.g., Available) to display only some pools.

Impact:
The Status filter is not usable. Additionally, the page continues not to display even after you navigate away from the page and later return to it.

Workaround:
There is no workaround to prevent the issue, but if you wish to access that page again (and not use the Status filter), you can do so by clearing your browser's cache.


915497-1 : New Traffic Class Page shows multiple question marks.

Component: TMOS

Symptoms:
When you navigate to the traffic class creation page by clicking Create button in the Traffic Class list page, Chinese characters are displayed with multiple question marks.

Conditions:
This is encountered when creating a new Traffic Class.

Impact:
Multi-byte characters are displayed incorrectly.

Workaround:
None.


915493-5 : imish command hangs when ospfd is enabled

Component: TMOS

Symptoms:
Running the imish command hangs when ospfd is enabled.

Conditions:
-- Dynamic routing enabled.
-- The ospfd protocol is enabled.
-- Running the imish command.

Impact:
The imish operation hangs.

Workaround:
Restart the ospfd daemon.


915489-3 : LTM Virtual Server Health is not affected by iRule Requests dropped

Component: Anomaly Detection Services

Symptoms:
Virtual Server Health should not take into account deliberate drop requests.

Conditions:
-- DoS profile is attached to Virtual Server.
-- iRule that drops requests on some condition is also attached to the virtual server.

Impact:
Server Health reflects it is overloading status more precisely.

Workaround:
Do not use iRules to drop requests when Behavioral DoS is configured.


915305-6 : Point-to-point tunnel flows do not refresh connection entries; traffic dropped/discarded

Component: TMOS

Symptoms:
Dynamic routing changes do not cause point-to-point tunnel flows to refresh their connection entries causing tunneled traffic to be dropped/discarded.

Conditions:
Path to a remote tunnel endpoint is provided by a dynamic routing.

Impact:
Tunneled traffic might be dropped/discarded by the BIG-IP system.

Workaround:
Use static routing to provide a path to remote tunnel endpoint.


915281-3 : Do not rearm TCP Keep Alive timer under certain conditions

Component: Local Traffic Manager

Symptoms:
Increased CPU usage due to zombie TCP flows rearming TCP Keep Alive timer continuously and unnecessarily.

Conditions:
-- A large number of zombie flows exists.
-- TCP Keep Alive timer is rearmed aggressively for zombie flows with very small idle_timeout (0) value.
-- TCP Keep alive timer keeps expiring and is rearmed continuously.

Impact:
Continuous rearming results in consuming CPU resources unnecessarily.

Workaround:
None.


915221-5 : DoS unconditionally logs MCP messages to /var/tmp/mcpd.out

Component: Advanced Firewall Manager

Symptoms:
Excessive and large DoS debug messages associated with tmsh commands and stat queries are logged to /var/tmp/mcpd.out which is not log-rotated.

Conditions:
-- AFM is provisioned.
-- DoS queries executed via tmsh.

Impact:
Disk space is consumed on the filesystem for /var/tmp, which can eventually lead to follow-on failures when the disk fills up.

Workaround:
Delete or purge /var/tmp/mcpd.out.


915141-1 : Availability status of virtual server remains 'available' even after associated pool's availability becomes 'unknown'

Component: TMOS

Symptoms:
Availability status of virtual server can be left 'available' even if the corresponding pool's availability becomes 'unknown'.

Conditions:
- Pool member is configured as an FQDN node.
- You set monitor to 'none' with the pool.

Impact:
Inconsistent availability status of pool and virtual server.

Workaround:
Set the FQDN node to 'force offline', and then 'enable'. This triggers virtual server's status updates and syncs to pool.


914761-4 : Crontab backup to save UCS ends with Unexpected Error: UCS saving process failed.

Component: TMOS

Symptoms:
Using crontab to automatically backup UCS file by scheduling cronjobs fails due to SELinux permissions. The failure produces the following error:

Unexpected Error: UCS saving process failed.

Conditions:
This is encountered when 'tmsh save sys ucs' is executed through a cronjob.

Impact:
UCS file is not successfully saved and backup fails.

Workaround:
None.


914681-1 : Value of tmm.quic.log.level can differ between TMSH and GUI

Component: Local Traffic Manager

Symptoms:
The value of the QUIC logging level is erroneously shown as 'Error' in the GUI.

Conditions:
Set tmm.quic.log.level to 'Info' or 'Critical' in TMSH.

Impact:
Misleading log level displayed in the GUI.

Workaround:
Use TMSH to set and view values for tmm.quic.log.level.


914645-4 : Unable to apply LTM policies to virtual servers after running 'mount -a'

Component: TMOS

Symptoms:
After attempting to assign an LTM policy to a virtual server, you may get an error in the GUI:

010716d8:3: Compilation of ltm policies for virtual server /Common/VS failed; Couldn't publish shared memory segment.

You may also see this logged in /var/log/ltm:

 err mcpd[6905]: 010716d5:3: Failed to publish LOIPC object for (loipc_VS.1589526000.777142413). Call to (shm_open) failed with errno (13) errstr (Permission denied).

Conditions:
-- Run the command:
mount -a
-- Attempt to assign an LTM policy to a virtual server.

Impact:
Unable to apply LTM policies.

Workaround:
Run the following command to enable assigning an LTM policy to a virtual server:
umount -l /dev/shm


914589-1 : VLAN Failsafe timeout is not always respected

Component: Local Traffic Manager

Symptoms:
VLAN Failsafe timeout is triggered later than its configured interval.

Conditions:
-- Rarely happen on first failover. More commonly occurs on 3rd/4th failover.
-- Specific conditions that cause this issue are not known.

Impact:
VLAN Failsafe timeout might be triggered later than it is configured.

The exact impact varies based on the configuration and traffic activity.

Workaround:
Use another form of automatic failover if needed (gateway failsafe, ha-groups, etc.).


914293-4 : TMM SIGSEGV and crash

Component: Anomaly Detection Services

Symptoms:
Tmm crash when using iRule to reject connections when Behavioral DoS is enabled.

Conditions:
This can occur due to an interaction between a Behavioral DoS policy and an iRule designed to potentially drop some of the connections.

Impact:
With heavy traffic, the tmm process might crash. Traffic disrupted while tmm restarts.

Workaround:
Do not use iRules to reject connections that are bound to a virtual server with a Behavioral DoS policy attached.


914277-1 : [ASM - AWS] - Auto Scaling BIG-IP systems overwrite ASU

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, Live Update configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.
-- New ASU is automatically downloaded by Live Update at the new host.

Impact:
Live Update configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable

In order to still have automatic updates for the group, the db variable can be enabled for the master device. Then this setting will be applied on every new host after joining the group and receiving the initial sync from the master.


913917-1 : Unable to save UCS

Component: Global Traffic Manager (DNS)

Symptoms:
You are unable to create a backup UCS.

You see a warning in /var/log/restjavad.0.log:

[WARNING][8100/tm/shared/sys/backup/306b4630-aa74-4a3d-af70-0d49bdd1d89e/worker UcsBackupTaskWorker] Failure with backup process 306b4630-aa74-4a3d-af70-0d49bdd1d89e.
This is followed by a list of some files in /var/named/config/namedb/.

Conditions:
Named has some Slave zones configured and is going through frequent zone transfer.

Impact:
You are unable to create a UCS file.

Workaround:
Stop named zone transfer while doing UCS backup.


913849-2 : Syslog-ng periodically logs nothing for 20 seconds

Component: TMOS

Symptoms:
Once per minute, syslog-ng logs nothing for 20 seconds.

Conditions:
-- A remote syslog server is specified by hostname, forcing syslog-ng to resolve it.
-- the DNS resolution times out (for example, if the DNS server is unreachable)

Impact:
When using DNS names to specify remote syslog destinations and DNS is unreachable, syslog-ng re-attempts to resolve the name every 60 seconds. This resolution has a 20 seconds timeout, and blocks the syslog process from writing logs to disk during that time.

Note that the logs are buffered, not lost, and will still be written to disk (with the correct timestamps) once the DNS query times out.

Workaround:
None.


913829-5 : i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades may lose efficiency when source ports form an arithmetic sequence

Component: TMOS

Symptoms:
Traffic imbalance between tmm threads. You might see the traffic imbalance by running the following command:
tmsh show sys tmm-traffic

Conditions:
Source ports used to connect to i15000, i15800, i5000, i7000, i10000, i11000 and B4450 blades form an arithmetic sequence.

For example, some client devices always use even source port numbers for ephemeral connections they initiate. This means the 'stride' of the ports selected is '2'. Because a sorted list of the ports yields a list like 2, 4, 6, 8... 32002, 32004. It is 'striding' over the odd ports; thus, a port stride of 2.

Impact:
Traffic imbalance may result in tmm threads on different CPU cores having imbalanced workloads. While this can sometimes impact on performance, an overloaded tmm thread can usually redistribute load to less loaded threads in a way that does not impact performance. However the loads on the CPU cores will appear imbalanced still.

Workaround:
Where possible, configure devices to draw from the largest possible pool of source ports when connecting via a BIG-IP system.


913761-1 : Security - Options section in navigation menu is visible for only Administrator users

Component: Application Security Manager

Symptoms:
The Security - Options section in the left navigation menu is visible for only for user accounts configured with the Administrator role.

Conditions:
You logged in as a user configured with a role other than Administrator.

Impact:
No direct access to many settings that are available only for user account configured with the Administrator role.

Workaround:
Direct links to the pages work for those with the appropriate roles.


913757-2 : Error viewing security policy settings for virtual server with FTP Protocol Security

Component: Application Security Manager

Symptoms:
The system reports an error message when trying to navigate to 'Security :: Policies' under virtual server properties:

An error has occurred while trying to process your request.

Conditions:
-- An FTP or SMTP profile with protocol security enabled is attached to a virtual server.
-- Attempt to navigate to 'Security :: Policies'.

Impact:
-- No policies appear. You cannot perform any operations on the 'Security :: Policies' screen.
-- The following error message appears instead:

An error has occurred while trying to process your request.

Workaround:
As long as an FTP or SMTP profile with protocol security enabled is defined under virtual server properties (in another words, it is attached to a virtual server), this issue recurs. There are no true workarounds, but you can avoid the issue by using any of the following:

-- Use another profile, such as HTTP.
-- Set the FTP/SMTP profile under the virtual server settings to None.
-- Remove the profile via the GUI or the CLI (e.g., you can remove the profile from the virtual server in tmsh using this command:

 tmsh modify ltm virtual /Common/test-vs { profiles delete { ftp_security } }


913573-3 : Unable to complete REST API PUT request for 'tm/ltm/data-group/internal' endpoint.

Component: TMOS

Symptoms:
When REST API PUT request is call to modify LTM data-group internal without 'type' field in body-content, it fails intermittently with a 400 error.

--{"code":400,"message":"invalid property value \"type\":\"\"","errorStack":[],"apiError":26214401}

The 'type' field is not getting populated with default value and is set to null string "" instead.

Conditions:
-- PUT REST API request used to modify LTM data-group internal.
-- Type field is not specified in the body-content.

Impact:
Unable to update the configuration object (LTM data-group internal) with REST API PUT.

Workaround:
Include 'type' field inside PUT request body content for the operation to succeed.

Example Curl Command:
-- curl -isku <username>:<password> -H "Content-Type: application/json" -X PUT -d '{"records":[{"name":"1.1.1.1"}, {"name":"1.1.1.2"}], "type":"ip"}' https://localhost/mgmt/tm/ltm/data-group/internal/~Common~<Name>


913453-6 : URL Categorization: wr_urldbd cores while processing urlcat-query

Component: Traffic Classification Engine

Symptoms:
The webroot daemon (wr_urldbd) cores.

Conditions:
This can occur while passing traffic when webroot is enabled.

Impact:
The wr_urldbd daemon cores. URL Categorization functionality may not work as expected.

Workaround:
None.


913385-2 : TMM generates core while deleting iFiles

Component: Local Traffic Manager

Symptoms:
While deleting iFiles, TMM might crash and generates a core.

Conditions:
-- There is any ifile command in an iRule where you are giving a list object to the file name argument instead of to a string object, for example:

The 2nd line returns a list object, and the 3rd line is giving it to ifile command:

set ifile_name tcl.1
set ifile_name [lsearch -glob -inline [ifile listall] "*$ifile_name"]
ifile get $ifile_name

-- A request is processed by the iRule.
-- Attempt to delete the file in which the issue occurred.

Impact:
TMM crashes and restarts, triggering failover in high availability (HA) configurations. Traffic disruption while TMM restarts on a standalone configuration.

Workaround:
Ensure that the iRule gives a string object to ifile commands. Here is a sample iRule that implements the workaround:

set ifile_name tcl.1
set ifile_name [lsearch -glob -inline [ifile listall] "*$ifile_name"]
ifile get [format "%s" $ifile_name]


913249-1 : Restore missing UDP statistics

Component: Local Traffic Manager

Symptoms:
The following UDP statistics are missing:
-- bufdropdgram
-- maxrate_conns
-- maxrate_cur_conns
-- sendbuf_cur_bytes
-- queue_dropped_bytes

Conditions:
Viewing UDP statistics.

Impact:
Unable to view these UDP statistics.

Workaround:
None.


913137-2 : No learning suggestion on ASM policies enabled via LTM policy

Component: Application Security Manager

Symptoms:
ASM policy has the option 'Learn only from non-bot traffic' enabled, but the Policy Builder detects that the client is a bot, and therefore does not issue learning suggestions for the traffic.

Conditions:
-- ASM policy is enabled via LTM policy.
-- ASM policy configured to learn only from non-bot traffic.

This applies to complex policies, and in some configurations may happen also when a simple policy is enabled via LTM policy.

Impact:
No learning suggestions.

Workaround:
Disable the option 'Learn only from non-bot traffic' on the ASM policy.


913085-2 : Avrd core when avrd process is stopped or restarted

Component: Application Visibility and Reporting

Symptoms:
When the avrd process is stopped or restarted, it fails with core before the exit. A core file with the name starting with SENDER_HTTPS (for example, SENDER_HTTPS.bld0.0.9.core.gz) can be found in /shared/cores/ directory.

Conditions:
A BIG-IP system is registered on BIG-IQ and has established an HTTPS connection with BIG-IQ for sending stats data.

Impact:
Avrd cores while exiting. There is no impact on BIG-IP system functionality.

Workaround:
None.


912761-1 : Link throughput statistics are different

Component: Global Traffic Manager (DNS)

Symptoms:
Different link throughput statistics are seen on GTM/DNS systems that are connected by full-mesh iQuery.

Conditions:
-- The same link is used on different BIG-IP addresses as a pool member in the default gateway pool.
-- A forwarding virtual server is used.

Impact:
Each GTM/DNS server might get different link throughput for the same link, and therefore make less-than-optimal decisions.

Workaround:
Do not use the same uplink for different BIG-IP devices.


912517-1 : MySQL monitor marks pool member down if 'send' is configured but no 'receive' strings are configured

Component: Local Traffic Manager

Symptoms:
If an LTM database monitor type (MySQL, MSSQL, Oracle, or PostgreSQL database monitor type) is configured with a 'send' string but with no 'receive' string to issue a user-specified database query, pool members using this monitor are marked DOWN, even though a connection to the configured database completed successfully.

Conditions:
-- An LTM pool or pool members is configured to use an LTM database (MySQL, MSSQL, Oracle or PostgreSQL) monitor type.
-- A 'send' string is configured for the monitor.
-- A 'receive' string is not configured.

Impact:
The database monitor marks the pool member down, even in cases where the pool member is actually pingable.

Workaround:
To work around this issue, configure 'send' and 'recv' strings for the database monitor that will always succeed when successfully connected to the specified database (with the configured username and password, if applicable).


912425-4 : Modification of in-tmm monitors may result in crash

Component: Local Traffic Manager

Symptoms:
TMM crash.

Conditions:
-- Modify in-tmm monitors.
-- Perform configuration sync.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
-- Disable in-tmm monitors.
-- Avoid config syncing to the active device.


912293-4 : Persistence might not work properly on virtual servers that utilize address lists

Component: Local Traffic Manager

Symptoms:
-- Connections to the virtual server might hang.
-- Increased tmm CPU utilization.

Conditions:
-- A virtual server is configured with a traffic-matching-criteria that utilizes a source-address-list and/or destination-address-list.

-- The virtual server utilizes certain persistence one of the following persistence types:
  + Source Address (but not hash-algorithm carp)
  + Destination Address (but not hash-algorithm carp)
  + Universal
  + Cookie (only cookie hash)
  + Host
  + SSL session
  + SIP
  + Hash (but not hash-algorithm carp)

Impact:
-- High tmm CPU utilization.
-- Stalled connections.

Workaround:
Enable match-across-virtuals in the persistence profile.

Note: Enabling match-across-virtuals might might affect the behavior of other virtual servers in the configuration that utilize persistence.


912089-1 : Some roles are missing necessary permission to perform Live Update

Component: Application Security Manager

Symptoms:
Certain roles, such as Resource Administrator and Application Security Operations Administrator, do not have sufficient permission levels to perform Live Update.

Conditions:
-- User with Resource Administrator or Application Security Operations Administrator role assigned.
-- Attempt to perform Live Update.

Impact:
Users with Resource Administrator and Application Security Operations Administrator role cannot perform Live Update.

Workaround:
None.


912001-2 : TMM cores on secondary blades of the Chassis system.

Component: Global Traffic Manager (DNS)

Symptoms:
When using DNS Cache on chassis systems with a forward zone pointing at a self IP for communication with local BIND, the following assert triggers:

tmm_panic (... "../net/loop.c:572: %sIDX set on listener%s") at ../lib/stdio.c:1307

Conditions:
-- Chassis system is used.
-- Secondary TMMs core dump.
-- Primary works as expected.

Impact:
TMMs on secondary blades core dump. Traffic disrupted while tmm restarts.

Workaround:
1) Create another virtual server that uses local Bind server.
2) Set the forward zones to point to that virtual server instead of the self IP as name servers.


911777-1 : BIG-IP SSL forward proxy might drop connection to servers with revoked certificate status.

Component: Local Traffic Manager

Symptoms:
If the server certificate status is revoked, SSL forward proxy configured with a new server SSL profile might drop the connection.

Conditions:
-- New SSL forward proxy server SSL profile is attached to the virtual server.
-- Revoked-cert-status-response-control is set to the default value (drop).
-- Certificate status service (e.g., CRL/OCSP) is configured on the server SSL profile.

Impact:
BIG-IP client connections are reset.

Workaround:
Change revoked-cert-status-response-control to ignore on the server SSL profile.


911729-3 : Redundant learning suggestion to set a Maximum Length when parameter is already at that value

Component: Application Security Manager

Symptoms:
Policy Builder is issuing a learning suggestion to set a specific maximum length for a parameter when that parameter already has that exact maximum length already configured.

Conditions:
-- Response learning is turned on
-- Response parameter length is less than, but close to, the currently configured maximum length limit.

Impact:
Redundant learning suggestion is issued.

Workaround:
You can either:
-- Ignore the learning suggestion (Click the Ignore button).
-- Turn off Learn from response.


911585-4 : PEM VE does not send CCRi when receiving multiple subscriber requests in a short interval

Component: Policy Enforcement Manager

Symptoms:
PEM sessions go to a stale state and the Credit Control Request (CCRi) is not sent.

Conditions:
-- PEM is configured and passing normal PEM traffic.
-- Using BIG-IP Virtual Edition (VE)

Impact:
Session is not established.

Workaround:
None.


911241-7 : The iqsyncer utility leaks memory for large bigip_gtm.conf file when log.gtm.level is set to debug

Component: Global Traffic Manager (DNS)

Symptoms:
The iqsyncer utility leaks memory.

Conditions:
-- There is a large bigip_gtm.conf.
-- The log.gtm.level is set to debug.

Impact:
The iqsyncer utility exhausts memory and is killed.

Workaround:
Do not set log.gtm.level equal to or higher than debug.


911041-4 : Suspending iRule FLOW_INIT on a virtual-to-virtual flow leads to a crash

Component: Local Traffic Manager

Symptoms:
An iRule executing on the FLOW_INIT event can suspend. If it does so while connecting to a virtual-to-virtual flow, it can cause a TCP crash, which results in a tmm restart.

Conditions:
An iRule executing on the FLOW_INIT event suspends while connecting to a virtual-to-virtual flow.

Impact:
Tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
Do not include any iRules that suspend processing in FLOW_INIT.


910673-1 : Nethsm-thales-install.sh installation fails with error 'Could not reach Thales HSM'

Component: Local Traffic Manager

Symptoms:
Thales installation script fails with error message.

ERROR: Could not reach Thales HSM "<ip>". Make sure the HSM IP address is correct and that the HSM is accessible to the BIG-IP.

Conditions:
This occurs when the ICMP ping is blocked between the BIG-IP system and netHSM.

Impact:
Thales/nCipher NetHSM client software installation fails.

Workaround:
Unblock ICMP ping between the BIG-IP system and netHSM.


910653-6 : iRule parking in clientside/serverside command may cause tmm restart

Component: Local Traffic Manager

Symptoms:
If an iRule utilizing the clientside or serverside command causes parking to occur while in the clientside/serverside command (table or after commands, for example), the connection is aborted while parked, and a subsequent iRule event attempts to run (CLIENT_CLOSED, for example), tmm may restart.

Conditions:
-- iRule using clientside or serverside command.
-- Use of commands that may park while in the clientside/serverside command.
-- Flow is aborted while iRule is parked.
-- iRule also has CLIENT_CLOSED or SERVER_CLOSED event handler.

For more information on the conditions that trigger iRule parking, see K12962: Some iRules commands temporarily suspend iRules processing, available at https://support.f5.com/csp/article/K12962.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
You can use either of the following workarounds:

-- Rework iRules to avoid use of clientside/serverside command.
-- Eliminate parking within the clientside/serverside commands.


910645-2 : Upgrade error 'Parsing default XML files. Failed to parse xml file'

Component: TMOS

Symptoms:
After upgrading BIG-IP APM, multiple error messages appear in /var/log/ltm:

-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/secure_access_client/default_secure_access_client.xml) errno(2) strerror(No such file or directory)
-- err mcpd[5352]: 010713cf:3: Parsing default XML files. Failed to parse xml file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) because Failed to stat file (/var/sam/www/client/customization-source/Common/modern/resource_app_tunnel/default_resource_app_tunnel.xml) errno(2) strerror(No such file or directory)

Conditions:
-- APM configuration.
-- Upgrade the BIG-IP system to v15.1.0 or newer.

Impact:
These are benign messages that do not indicate a functional issue. There is no impact; the system works correctly.

The errors occur when the upgraded BIG-IP APM configuration attempts to load resource definitions for the modern customization schema. However, by design, the modern customization schema does not define resources. Only the standard customization schema defines resources found under '/var/sam/www/client/customization-source/Common/standard/'.

Workaround:
None.


910521-1 : Support QUIC and HTTP draft-28

Component: Local Traffic Manager

Symptoms:
The BIG-IP system supports QUIC and HTTP/3 draft-25 and draft-27. IETF has released draft-28.

Conditions:
Browser requests draft-28.

Impact:
Connection downgrades to an older version, or fails if the browser cannot downgrade.

Workaround:
None.


910417-1 : TMM core may be seen when reattaching a vector to a DoS profile

Component: Advanced Firewall Manager

Symptoms:
TMM core resulting in potential loss of service.

Conditions:
Attaching and deleting the vector to a DoS profile multiple times while the traffic is ongoing.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


910273-1 : SSL Certificate version always displays as '1' in the GUI

Component: Local Traffic Manager

Symptoms:
In GUI an SSL certificate's version is displayed as '1', even if its version is higher than 1.

Conditions:
-- Viewing an SSL certificate in the GUI.
-- The SSL certificate's version is higher than 1.

Impact:
SSL certificate's version is displayed as '1'. There is no functional impact.

Workaround:
None.


910253-3 : BD error on HTTP response after upgrade

Component: Application Security Manager

Symptoms:
After upgrade, some requests can cause BD errors on response:

BEM|ERR |May 19 17:49:55.800|0983|response_header_accumulator.c:0200|Error: CookieMgrBuildCookie failed. ans 1 job 2957561040

IO_PLUGIN|ERR |May 19 17:49:55.800|0983|io_plugin.c:3320|TMEVT_RESPONSE: Cannot build a ts cookie.

Conditions:
-- Upgrading BIG-IP systems to v15.0.0 or later from versions earlier than v15.0.0.
-- ASM policy is configured on a virtual server.

Impact:
For some requests, the response can arrive truncated or not arrive at all.

Workaround:
Add an iRule that deletes ASM cookies:

when HTTP_REQUEST {
  set cookies [HTTP::cookie names]
  foreach aCookie $cookies {
    if {$aCookie matches_regex {^TS(?:[0-9a-fA-F]{6,8})(?:$|_[0-9]+$)}} {
      HTTP::cookie remove $aCookie
    }
  }
}

Note: Performing this workaround affects cookie-related violations (they may need to be disabled to use this workaround), session, and login protection.


910213-1 : LB::down iRule command is ineffective, and can lead to inconsistent pool member status

Component: Local Traffic Manager

Symptoms:
Use of the LB::down command in an iRule may not have the desired effect.

Specifically, the pool member is marked down within the tmm thread executing the iRule, but the status change is not updated to mcpd, or to other tmm threads.

As a result, the message 'Pool /Common/mypool member /Common/1.1.1.1:80 monitor status iRule down' does not appear in the log, and the status of the pool member is not updated when viewed in the GUI or via 'tmsh show ltm pool xxxx members'.

Conditions:
Using the LB::down command in an iRule.

Impact:
Because mcpd believes the pool member to be up, it does not update tmm's status, so tmm continues to regard it as down indefinitely, or until a monitor state change occurs.

If the LB::down command is used on all members of a pool, the affected tmms cannot load balance to that pool, even though the GUI/tmsh indicate that the pool has available members.

Because pool member status is stored on per-tmm basis and incoming connections are distributed across tmms using a hash, this can lead to apparently inconsistent results, where some traffic (traffic hitting a particular tmm) is rejected with an RST cause of 'No pool member available'.

Workaround:
No direct workaround, but the use of an inband monitor instead of the LB::down command may be effective. You must tune the inband monitor's settings to values consistent with the desired behavior.


910201-4 : OSPF - SPF/IA calculation scheduling might get stuck infinitely

Component: TMOS

Symptoms:
After SPF/IA calculation gets suspended, it might enter a state where it never fires again.

Conditions:
SPF/IA calculation gets suspended;

This occurs for various reasons; BIG-IP end users have no influence on it occurring.

Impact:
OSPF routes are visible in the OSPF database, but not installed in the routing table.

Workaround:
Restart the routing daemons:
# bigstart restart tmrouted

Running this command allows you to recover from this situation, but does not prevent the event from reoccurring.

If due to a topology, SPF/IA calculation suspension occurs again after a restart, this workaround essentially has no effect.


910105 : Partial HTTP/2 payload may freeze on the BIG-IP system

Component: Local Traffic Manager

Symptoms:
HTTP/2 allows sending the payload in both directions gradually, until a frame with an END_STREAM flag closes a direction. The BIG-IP does not properly handles an early response from a server when HTTP router is configured on a virtual and partial payload sent in each direction. In this case, communication over the stream hangs.

Conditions:
-- Virtual server is configured on the BIG-IP system with HTTP and HTTP/2 profiles on both the client and server sides.
-- HTTP router profile is configured on the virtual server.
-- Client sends a request and delivers a partial payload, waiting for a response from a server.
-- Server responds with a partial payload.

Impact:
A response with a partial payload is not delivered to a client. Communication freezes on that specific stream.

Workaround:
None.


910097-4 : Changing per-request policy while tmm is under traffic load may drop heartbeats

Component: Access Policy Manager

Symptoms:
Cluster failover, tmm restart, and tmm killed due to missed heartbeats. tmm crash

Conditions:
TMM is under load due to heavy traffic while MCP attempts to configure per-request policy. This can be caused by a modification to the policy or one of its agents, or by a restart of the TMM.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
When making changes to per-request policies, use a scheduled maintenance window so that impact to traffic is minimized.


909997-2 : Virtual server status displays as unavailable when it is accepting connections

Component: Local Traffic Manager

Symptoms:
After a rate limit is triggered and released, the virtual server status in the GUI remains as 'unavailable'. The virtual server resumes accepting new connections while the GUI shows the virtual server is unavailable.

Conditions:
-- The virtual server has a source address list configured.
-- Address lists define more than one address.
-- The connections are over the rate limit, and the virtual server status is marked unavailable.
-- The number of connections falls below the limit.

Impact:
Actual virtual server status is not reflected in GUI.

Workaround:
If the deployment design allows, you can use either of the following workarounds:

-- Remove the source address list from the virtual server.

-- Have a single address in the source address list.


909677-1 : HTTP/2 full proxy always sets the :scheme pseudo-header for HTTPS requests where the server-side connection is not encrypted

Component: Local Traffic Manager

Symptoms:
When using HTTP/2, the :scheme pseudo-header appears to always be set to HTTPS on requests, even when the server-side connection is not encrypted.

Conditions:
-- Using an HTTP/2 virtual server.
-- The server-side connection that is unencrypted.

Impact:
The impact of this issue varies based on how the application reacts at the server-side.

Workaround:
None.


909505-4 : Creating LTM data group external object fails.

Component: TMOS

Symptoms:
iControl REST command to create a data group fails if you do not set the externalFileName variable.

The same command works in tmsh, and you are not required to specify the externalFileName.

Conditions:
-- Creating a data group using iControl REST.
-- POST payload does not contain the externalFileName variable.

Impact:
You are unable to create the data group.

Workaround:
The command works if you specify the externalFileName parameter:

curl -sku $PASS https://$HOST/mgmt/tm/ltm/data-group/external -X POST -H "Content-type: application/json" -d '{"name":"fooBar", "externalFileName":"fooBar.txt"}'


909485-4 : Deleting LTM data-group external object incorrectly reports 200 when object fails to delete

Component: TMOS

Symptoms:
When you delete an LTM external data-group object using iControl REST, it incorrectly returns '200 OK' even though the object is not deleted.

Conditions:
-- Deleting an external data-group object via iControl REST.
-- The LTM external data-group object is referenced by another object (such as an iRule).

Impact:
The object still exists, even though the system returns a '200 OK' message indicating that the operation completed successfully.

Workaround:
None.


909197-2 : The mcpd process may become unresponsive

Component: TMOS

Symptoms:
-- The mcpd process is killed with SIGABRT by the sod watchdog due to failed heartbeat check.
-- There is high memory usage by the mcpd process prior to getting killed.
-- There is an mcpd core file contains a very long string. The core might contain a repeating pattern of '{ } { } { } ...'.

Conditions:
The mcpd process receives a malformed message from one of the control plane daemons.

Impact:
-- There is a temporary lack of responsiveness related to actions of inspecting and/or modifying system configuration: GUI, TMSH, etc., operations may fail or time out.
-- SNMP queries might go unanswered.
-- System daemons restart.
-- Traffic disrupted while mcpd restarts.

Workaround:
None.


908829-2 : The iqsyncer utility may not write the core file for system signals

Component: Global Traffic Manager (DNS)

Symptoms:
In certain instances, the iqsyncer utility may not write the core file for system signals.

Conditions:
SELinux policies enabled.
-- Run the iqsyncer utilities to initiate a core dump with system signals SIGABRT, SIGQUIT, and SIGSEGV.

Impact:
The iqsyncer utility does not write core file.

Workaround:
Disable SELinux with 'setenforce 0'.

You can now generate a core with a SIGQUIT (-3), but not with SIGABRT or SIGSEGV.


908801-2 : SELinux policies may prevent from iqsh/iqsyncer dumping core

Component: Global Traffic Manager (DNS)

Symptoms:
SELinux policies may prevent the iqsh/iqsyncer utilities from dumping core information.

Conditions:
-- SELinux policies enabled.
-- Run the iqsh/iqsyncer utilities to initiate a core dump.

Impact:
The operation does not result in dumping the core information.

Workaround:
Disable SELinux with 'setenforce 0'.


908753-2 : Password memory not effective even when password policy is configured

Component: TMOS

Symptoms:
The BIG-IP system does not prevent you from specifying previously used passwords, even if Secure Password Enforcement is enabled with password memory set to a non-zero value.

Conditions:
-- Password memory in auth settings is not 0 (zero).
-- Attempt to specify a previously specified password

Impact:
Password history to prevent user from using same password is not enforced.

Workaround:
None.


908601-1 : System restarts repeatedly after using the 'diskinit' utility with the '--style=volumes' option

Component: TMOS

Symptoms:
When the BIG-IP system boots, mcpd continually restarts.

Conditions:
This may occur after you issue the 'diskinit' command with the '--style=volumes' option in the MOS (Maintenance Operating System) shell, install BIG-IP into the new volume, then boot into the new installation of the BIG-IP system.

Impact:
The BIG-IP system is unable to complete the boot process and become active.

Workaround:
In the MOS shell, do not issue the 'diskinit' command with the '--style=volumes' option.

Instead, on BIG-IP v14.1.2.1 and later, you may use the 'image2disk' utility with the '-format' option to recreate the desired volume.

You also can achieve the same result by following the shell guidance. To begin, type 'start<enter>'.


If the system is already in the defective state, use this shell command, and then reboot:

touch /.tmos.platform.init

The problem should be resolved.


908517-4 : LDAP authenticating failures seen because of 'Too many open file handles at client (nslcd)'

Component: TMOS

Symptoms:
LDAP authentication fails with an error message:

err nslcd[2867]: accept() failed: Too many open files

Conditions:
This problem occurs when user-template is used instead of Bind DN.

Impact:
You cannot logon to the system using LDAP authentication.

Workaround:
None.


908477-1 : Request-adapt plus request-logging causes HTTP double-chunking in an ICAP request

Component: Service Provider

Symptoms:
When an HTTP chunked request is sent to a virtual server that has both a request-adapt (e.g., for ICAP), and a request-logging profile attached, the request that is sent to the ICAP server is doubly chunked.

Conditions:
-- A virtual server is configured with both a request-adapt (ICAP) and request-logging profile.
-- HTTP chunked requests are sent to this virtual server.

Impact:
Data corruption in the HTTP stream.

Workaround:
You can use either of the following workarounds:

-- Force rechunking on the HTTP profile:
request-chunking rechunk

-- Remove the request-logging profile (and potentially log requests) using an iRule instead.


908453-4 : Trunks with names longer than 32 characters update working-mbr-count in vCMP guests incorrectly

Component: TMOS

Symptoms:
When a trunk is configured with a name longer than 32 characters on a vCMP host, guests update the working-mbr-count for the trunk incorrectly when another trunk on the host changes. This might result in vCMP guests failing over unexpectedly.

Conditions:
-- Trunk configured with a name longer than 32 characters on vCMP host.
-- Trunk made available to guests for high availability (HA) Group scoring.
-- At least one other trunk configured on vCMP host.
-- Interface state changes in any other trunk.

Impact:
The vCMP guests may fail over unexpectedly.

Workaround:
Do not use trunk names longer than 32 characters.


908173-1 : Empty fields are shown in the policy version history

Component: Application Security Manager

Symptoms:
Empty fields are displayed instead of N/A in the policy version history.

Conditions:
1. Create and apply a new policy.
2. Open General Settings screen.
3. Open Policy Version History.

Impact:
Empty fields are shown (Source Policy Name and Source Host Name are empty), potentially implying an error condition, when in fact the field values are not applicable in this case.

Workaround:
None.


908065-1 : Logrotation for /var/log/avr blocked by files with .1 suffix

Component: Application Visibility and Reporting

Symptoms:
AVR logrotate reports errors in /var/log/avr:

error: error creating output file /var/log/avr/avrd.log.1: File exists
/var/log/avr/avrd.log will remain unchanged
/var/log/avr/avrd.log.1 will remain unchanged

Conditions:
Files ending with .1 exist in the log directory.

Impact:
Logrotate does not work. This might fill the disk with logs over time.

Workaround:
Remove or rename all of the .1 log files.


907997-1 : Source Policy Name instead of Current Policy used in Restore Policy Version

Component: Application Security Manager

Symptoms:
When trying to restore the policy from a previous version, the incorrect policy name is shown in the dialog window.

Conditions:
This is encountered while restoring policies from a previous version via the GUI.

Impact:
Misleading policy name is shown on restore policy dialog.

Workaround:
None.


907873-1 : Authentication tab is missing in VPE for RDG-RAP Access Policy type

Component: Access Policy Manager

Symptoms:
Authentication tab is missing in Visual Policy Editor (VPE) for RDG-RAP Access Policy type

Conditions:
Configuration of RDG-RAP Access Policy type in VPE.

Impact:
Authentication tab with AD/LDAP Query agents is missing in VPE.

Workaround:
Use the tmsh cli configuration of AD/LDAP Query for RDG-RAP Access Policy type.


907549-2 : Memory leak in BWC::Measure

Component: TMOS

Symptoms:
Memory leak in BWC calculator.

Conditions:
When the HSL log publisher is attached to the BWC::Measure instance in the Bandwidth policy.

Impact:
A memory leak occurs.

Workaround:
None.


907337-1 : BD crash on specific scenario

Component: Application Security Manager

Symptoms:
BD crashes.

Conditions:
A specific scenario that results in memory corruption.

Impact:
Failover, traffic disturbance. Traffic disrupted while BD restarts.

Workaround:
None.


907177-1 : Priority of embedded APM iRules is ignored

Component: Local Traffic Manager

Symptoms:
Custom iRule events are executed before the embedded APM iRule events, despite the custom iRule's priority value being larger than the APM iRule's priority value.

Conditions:
-- APM is provisioned.
-- Custom iRule with a priority value larger the APM iRule's priority value.

Impact:
Custom iRule event is executed before APM iRule event.

Workaround:
None.


907045-1 : QUIC HANDSHAKE_DONE is sent at the end of first flight

Component: Local Traffic Manager

Symptoms:
QUIC does not send the HANDSHAKE_DONE immediately on conclusion of the handshake. Instead, it sends an entire flight of data first.

Conditions:
This happens in normal operation.

Impact:
The end user system has to store handshake state longer than it might have to otherwise.

Workaround:
None.


907025-4 : Live update error" 'Try to reload page'

Component: Application Security Manager

Symptoms:
When trying to update Attack Signatures. the following error message is shown:

Could not communicate with system. Try to reload page.

Conditions:
Insufficient disk space to update the Attack Signature.

Impact:
Live Update unable to restore the database during startup. Device runs out of disk space, which leads to failure in writing live update hsqldb log file. The liveupdatedb.script file, which is based on the .log file, is truncated and missing necessary settings in order to initialize the live update database.

Workaround:
This following procedure restores the database to its default, initial state:

1. Remove the sigfile.tmp.* directories under /var/ts/var/tmp.

2. Delete the script:
delete /var/lib/hsqldb/live-update/liveupdatedb.script

3. Create a new script:
create new /var/lib/hsqldb/live-update/liveupdatedb.script.

4. Add the following lines to create the live update database schema and set the SA user as expected:

 CREATE SCHEMA PUBLIC AUTHORIZATION DBA
 CREATE MEMORY TABLE AVAILABILITY(ID VARCHAR(255) NOT NULL,ERRORMESSAGE VARCHAR(255),LASTCHECKDATETIME BIGINT,LASTCHECKUPDATEFILE VARCHAR(255),STATUS VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT AVAILABILITY_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLSCHEDULE(ID VARCHAR(255) NOT NULL,APPLYATALLTIMES BOOLEAN,APPLYONALLDAYS BOOLEAN,APPLYONFRIDAYS BOOLEAN,APPLYONMONDAYS BOOLEAN,APPLYONSATURDAYS BOOLEAN,APPLYONSUNDAYS BOOLEAN,APPLYONTHURSDAYS BOOLEAN,APPLYONTUESDAYS BOOLEAN,APPLYONWEDNESDAYS BOOLEAN,ENDTIME VARCHAR(255),FREQUENCY VARCHAR(255),STARTTIME VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT INSTALLSCHEDULE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE UPDATEFILE(ID VARCHAR(255) NOT NULL,CREATEDATETIME BIGINT,FILELOCATION VARCHAR(255),FILENAME VARCHAR(255),ISFILEAVAILABLE BOOLEAN,ISFILEMANUALLYUPLOADED BOOLEAN,ISGENESIS BOOLEAN,MD5 VARCHAR(255),"TYPE" VARCHAR(255),CONSTRAINT UPDATEFILE_PK PRIMARY KEY(ID))
 CREATE MEMORY TABLE INSTALLATION(ID VARCHAR(255) NOT NULL,ADDEDENTITIESCOUNT INTEGER,DELETEDENTITIESCOUNT INTEGER,ERRORMESSAGE VARCHAR(255),LASTREADMEFILENAME VARCHAR(255),LASTUPDATEMICROS BIGINT,LOADDATETIME BIGINT,MODIFIEDENTITIESCOUNT INTEGER,README VARCHAR(500000),STATUS VARCHAR(255),"TYPE" VARCHAR(255),UPDATEFILE_ID_OID VARCHAR(255),CONSTRAINT INSTALLATION_PK PRIMARY KEY(ID),CONSTRAINT INSTALLATION_FK1 FOREIGN KEY(UPDATEFILE_ID_OID) REFERENCES UPDATEFILE(ID))
 CREATE INDEX INSTALLATION_N49 ON INSTALLATION(UPDATEFILE_ID_OID)
 CREATE MEMORY TABLE INSTALLATION_DELETEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_DELETEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_DELETEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_DELETEDENTITYLIST_N49 ON INSTALLATION_DELETEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_MODIFIEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_MODIFIEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_MODIFIEDENTITYLIST_N49 ON INSTALLATION_MODIFIEDENTITYLIST(ID_OID)
 CREATE MEMORY TABLE INSTALLATION_ADDEDENTITYLIST(ID_OID VARCHAR(255) NOT NULL,"ELEMENT" LONGVARBINARY,IDX INTEGER NOT NULL,CONSTRAINT INSTALLATION_ADDEDENTITYLIST_PK PRIMARY KEY(ID_OID,IDX),CONSTRAINT INSTALLATION_ADDEDENTITYLIST_FK1 FOREIGN KEY(ID_OID) REFERENCES INSTALLATION(ID))
 CREATE INDEX INSTALLATION_ADDEDENTITYLIST_N49 ON INSTALLATION_ADDEDENTITYLIST(ID_OID)
 CREATE USER SA PASSWORD ""
 GRANT DBA TO SA
 SET WRITE_DELAY 20
 SET SCHEMA PUBLIC

5. Restart the tomcat process:
bigstart restart tomcat


906889-2 : Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Component: TMOS

Symptoms:
Incorrect totals for New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Conditions:
Viewing New Flows under Security :: Debug :: Flow Inspector :: Get Flows.

Impact:
Calculation mistake in the GUI: shows 8 times the actual values, for example:

  Packets In 2 shows as 016 in the GUI
  Packets Out 0 shows as 8 in the GUI

Workaround:
View statistics in tmsh.


906885-2 : Spelling mistake on AFM GUI Flow Inspector screen

Component: Advanced Firewall Manager

Symptoms:
On the AFM GUI Flow Inspector screen, there is a spelling mistake 'Additinal Info'. It should read 'Additional Info'.

Conditions:
You can locate the spelling error by following these steps:
1. Navigate to Security :: Debug :: Flow Inspector :: Get Flows (should be blank).
2. Select New Flows and then Get Flows.
3. Select the flow (i.e., click anywhere on the result except the hyperlink).

Impact:
There is a spelling mistake on the word 'Additional'. There is no functional impact to the system; this is a cosmetic issue only.

Workaround:
None.


906505-1 : Display of LCD System Menu cannot be configured via GUI on iSeries platforms

Component: TMOS

Symptoms:
In the BIG-IP Graphical User Interface (TMUI), display of the System Menu on the LCD front panel of most BIG-IP platforms can be enabled or disabled under System :: Configuration :: Device :: General.

However, on iSeries appliances, the 'Display LCD System Menu' option does not appear on this page.

Conditions:
This occurs on the following iSeries appliances:
-- i850
-- i2000-series (i2600/i2800)
-- i4000-series (i4600/i4800)
-- i5000-series (i5600/i5800/i5820-DF)
-- i7000-series (i7600/i7600-D/i7800/i7800-D/i7820-DF)
-- i10000-series (i10600/i10600-D/i10800/i10800-D)
-- i11000-series (i11600/i11800/i11400-DS/i11600-DS/i11800-DS)
-- i15000-series (i15600/i15800)

Impact:
The 'Display LCD System Menu' option cannot be configured via the GUI.

Workaround:
You can enable display of the LCD System Menu using the Command Line (CLI) by running the following commands, in sequence:

tmsh mod sys global-settings lcd-display [enabled|disabled]
tmsh mod sys db lcd.showmenu value [enabled|disabled]


906449-1 : Node, Pool Member, and Monitor Instance timestamps may be updated by config sync/load

Component: TMOS

Symptoms:
The text that describes the monitor state of an LTM node, pool member, or monitor instance also contains a timestamp that initially indicates when the monitor set the affected node or pool member to the indicated state. This timestamp can be affected by other actions, such as incremental or full config sync and config load.

The monitor-state description and timestamp can be viewed in the CLI (CLI/TMSH) and GUI (TMUI) as follows:

-- From the CLI/TMSH:
tmsh show ltm monitor <monitor_type> <monitor_name>

This command shows the state of ltm nodes or pool members currently monitored by the specified ltm health monitor, as in the following example:
-------------------------------------
 LTM::Monitor /Common/mysql_test
-------------------------------------
   Destination: 10.10.200.28:3296
   State time: down for 1hr:58mins:42sec
   | Last error: No successful responses received before deadline. @2020.03.25 14:10:24

-- From the GUI:
   + Navigate to Local Traffic :: Nodes : Node List :: <node_name>. The 'Availability' field shows text describing the node's monitored state with a timestamp.

   + Navigate to Local Traffic :: Pools : Pool List :: <pool_name>, under the Members tab, click the pool member name. The 'Availability' field shows text describing the pool member's monitored state with a timestamp.

Conditions:
This may occur under the following conditions:

-- If an incremental config sync occurs from one high availability (HA) member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + If a Node or Pool Member has been marked DOWN by a monitor, its timestamp may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a full/forced config sync occurs from one HA member to another member or to the device group:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on HA members receiving the incremental config sync.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on HA members receiving the incremental config sync.

-- If a config load occurs:
   + The timestamp on monitor instances for all Nodes or Pool Members (as shown by 'tmsh show ltm monitor <type> <name>') may be updated on the HA member where the config load occurred.
   + The timestamp for all Nodes or Pool Members may be updated in the GUI (Node List/Pool-Member list) on the HA member where the config load occurred.

Impact:
The timestamp indicated next to the monitored-state description for an LTM Node or Pool Member indicates when the Node or Pool Member was updated in ways other than by its configured monitor. Thus, this timestamp may not indicate the actual time of the monitor event suggested by the description text.

Workaround:
None.


905477-1 : The sdmd daemon cores during config sync when multiple devices configured for iRules LX

Component: Local Traffic Manager

Symptoms:
The iRules LX workspaces belong on only one device in a Device Service Cluster (DSC). If you have the same iRules LX workspace configured on multiple devices and then perform a config sync operation, the sdmd daemon cores.

Conditions:
-- Multiple devices configured with the same iRules LX workspace in a DSC.
-- Change one of the devices such that the configuration requires a config sync.
-- Perform the config sync.

Impact:
The sdmd daemon cores. Although having multiple devices configured with the same iRules LX workspace is an incorrect configuration, sdmd should not core.

Workaround:
When the iRules LX workspace is correctly configured, i.e., on only one device in a DSC, there is no need to config sync, so this issues does not occur.


905153-3 : HW offload of vector 22 (IPv6 Duplicate Extension Headers) not operational

Component: Advanced Firewall Manager

Symptoms:
All mitigation for IPv6 Duplicate Extension Headers DoS vector happens at the software level. The counter in int_drops column reads 0 (zero) in dos_stat tmctl for that vector.

Conditions:
Double IPv6 headers in the packets (except Destination Options header).

Impact:
You cannot offload DDoS vector 22 to FPGA hardware. Only the software-based DDoS mitigation is supported.

Workaround:
Use software DDoS mitigation for this vector.


904845-1 : VMware guest OS customization works only partially in a dual stack environment.

Component: TMOS

Symptoms:
The result of guest OS customization depends on the DHCP state on the management (mgmt) interface and the applied customization profile (i.e., IPv4 only, IPv4 and IPv6, or IPv6 with IPv4 prompt).

By default, DHCP is enabled on the management interface.

During configuration, you can customize only one IPv4 or one IPv6 address in a dual stack environment.

Conditions:
Applying a customization profile to VMware VM in a dual stack environment.

Impact:
You can only partially customize the mgmt interface IP profiles for VMware VMs in a dual stack environment.

Workaround:
Configure the mgmt interface addresses using the config script.


904785-2 : Remotely authenticated users may experience difficulty logging in over the serial console

Component: TMOS

Symptoms:
-- When a remotely authenticated user attempts login over the serial console, the username and password are accepted, but the session closes immediately thereafter.
-- Login over SSH is successful for the same user

Conditions:
-- Remote authentication (e.g., LDAP) and role mapping configured on the BIG-IP system.
-- Attempted login over the serial console for a remotely authenticated user who has been assigned a role.

Impact:
Remotely authenticated users cannot log in over the serial console.

Workaround:
Using either of the following workaround:

-- Log in over SSH instead

-- If acceptable (taking into account security considerations), enable terminal access for all remote users regardless of assigned role, using 'tmsh modify auth remote-user remote-console-access tmsh' or within the GUI.


904705-1 : Cannot clone Azure marketplace instances.

Component: TMOS

Symptoms:
Cannot clone Azure marketplace instances because cloned instances do not properly retrieve publisher and product code from the metadata service.

Conditions:
Applies to any Azure marketplace instance.

Impact:
Cannot clone Azure marketplace instances.

Workaround:
None.


904625-1 : Changes to SSL.CertRequest.* DB variables cause high availability (HA) devices go out of sync

Component: Local Traffic Manager

Symptoms:
The GUI saves SSL certificate/CSR subject fields data into SSL.CertRequest.* DB variables to use them in pre-populating subject fields for subsequent modifications.

Conditions:
-- SSL certificate/CSR modification through GUI.
-- Changing the content of the SSL.CertRequest.* DB variables.
-- High availability (HA) configuration.

Impact:
HA devices go out of sync.

Workaround:
SSL.CertRequest.* DB variables are used only as GUI SSL certificate/CSR pre-populated suggestions.

You can still review and modify them before completing SSL certificate/CSR modification operation, so it is safe to sync them onto the high availability (HA) peer.


904593-3 : Configuration overwritten when using Cloud Auto Scaling template and ASM Automatic Live Update enabled

Component: Application Security Manager

Symptoms:
When a Cloud Auto Scaling deployment is set up using F5's Auto Scale Template, and ASM Live Update is configured with Automatic Download enabled, the configuration may be overwritten during a scale out event when a new host joins the sync cluster. This is caused by a config sync from the new device to the master device, before the master has a chance to sync the configuration to the new device, causing the configuration in the master device to be overwritten.

Conditions:
-- Using F5's Auto Scaling template.
-- Auto Scale script is configured with --block-sync (which is the default).
-- ASM Live Update is configured with Automatic Download enabled.
-- A scale out event occurs.

Impact:
Configuration of all devices in the Auto Scale group is overwritten.

Workaround:
Disable ASM Live Update Automatic Download.

This can be done by disabling the liveupdate.autodownload DB variable using the onboard.js script, and adding '-d liveupdate.autodownload:disable'.

For example:
/usr/bin/f5-rest-node /config/cloud/aws/node_modules/@f5devcentral/f5-cloud-libs/scripts/onboard.js --log-level silly --signal ONBOARD_DONE -o /var/log/cloud/aws/onboard.log --host localhost --port 8443 -d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable --ping

-d tm.tcpudptxchecksum:software-only -d liveupdate.autodownload:disable


904441-1 : APM vs_score for GTM-APM load balancing is not calculated correctly

Component: Access Policy Manager

Symptoms:
Output from the 'show ltm virtual <vs> detail' command reports an incorrect value for the APM Module-Score.

Conditions:
-- Using GTM/DNS and APM.
-- Configure an access profile attached to a virtual server.
-- Configure a non-zero number for 'Max Concurrent Users' for the access profile.
-- Access the virtual server.

Impact:
GTM/DNS load balancing does not work as expected.

Workaround:
None.


904401-4 : Guestagentd core

Component: TMOS

Symptoms:
Guestagentd crashes on a vCMP guest.

Conditions:
This can occur during normal operation in a vCMP environment.

Impact:
Guestagentd crashes on the vCMP guest, and the vCMP host does not have accurate guest information, such as version, provisioning, high availability (HA) status, and tmm status.

Workaround:
None.


904373-4 : MRF GenericMessage: Implement limit to message queues size

Component: Service Provider

Symptoms:
The GenericMessage filter does not have a configurable limit to the number of messages that can be received.

Conditions:
If a message is waiting for an asynchronous iRule operation during a GENERICMESSAGE_INGRESS or GENERICMESSAGE_EGRESS iRule event, new messages are placed in either the ingress or egress queue. As the number of messages increase, more memory is required.

Impact:
If too many messages are queued, the system may exceed an internal count which could lead to a core.

Workaround:
None.


904041-1 : Ephemeral pool members may be incorrect when modified via various actions

Component: Local Traffic Manager

Symptoms:
Ephemeral pool members may not be in the expected state if the corresponding FQDN template pool member is modified by one of several actions.

For example:

A. Ephemeral pool members may be missing from a pool in a partition other than Common, after reloading the configuration of that partition.

B. Ephemeral pool members may not inherit the 'session' state from the corresponding FQDN template pool member if the FQDN template pool member is disabled (session == user-disabled), the config is synced between high availability (HA) members, and BIG-IP is restarted.

Conditions:
Scenario A may occur when reloading the configuration of non-'Common' partition, e.g.:
-- tmsh -c "cd /testpartition; load sys config current-partition"

Scenario B may occur when an FQDN template pool member is disabled (session == user-disabled), the config is synced between HA members, and BIG-IP is restarted.

Impact:
Impacts may include:
- Missing ephemeral pool members, inability to pass traffic as expected.
- Ephemeral pool members becoming enabled and receiving traffic when expected to be disabled.

Workaround:
For scenario A, reload the entire configuration instead of just the individual partition.

For scenario B, it may be possible to work around this issue by checking the status of ephemeral pool members after BIG-IP restart, and toggling the 'session' value between user-enabled and user-disabled.


903581-4 : The pkcs11d process cannot recover under certain error condition

Component: Local Traffic Manager

Symptoms:
When the connection between the BIG-IP system and HSM (SafeNet) is interrupted, pkcs11d is unable to recover in some case.

Conditions:
Connection between the BIG-IP system and the HSM device is interrupted.

Impact:
SSL handshake failure.

Workaround:
Restart the pkcs11d process using the following command:
restart /sys service pkcs11d


903521-1 : TMM fails to sign responses from BIND when BIND has 'dnssec-enable no'

Component: Global Traffic Manager (DNS)

Symptoms:
TMM fails to sign responses from BIND.

Conditions:
BIND has 'dnssec-enable no' in named.conf.

Impact:
TMM fails to sign responses from BIND.

Workaround:
Remove 'dnssec-enable no' from named.conf in options section.


903357-4 : Bot defense Profile list is loads too slow when there are 750 or more Virtual servers

Component: Application Security Manager

Symptoms:
Security :: Bot Defense : Bot Defense Profiles page loading takes a long time when there are profiles configured with hundreds of virtual servers. For example: a configuration with 750 virtual servers takes about 40 seconds to load the page. Configuration with 1300 virtual servers takes more than 70 seconds.

Conditions:
At least one Bot profile attached to hundreds of virtual servers. For 750 and more virtual servers attached the slow loading is significant.

Impact:
Bot Defense list page loading time can take more than 30 seconds.

Workaround:
None.


903265-4 : Single user mode faced sudden reboot

Component: TMOS

Symptoms:
Being logged into the system in single user mode (emergency shell) causes a sudden automatic reboot after some time (~5-to-10 minutes, or longer).

Conditions:
-- Using iSeries platforms.
-- When logged into the emergency shell by appending rd.break to kernel command line.

Impact:
The device reboots after some time. Because of the automatic reboot, you cannot reliably use the emergency shell.

Workaround:
None.


902485-5 : Incorrect pool member concurrent connection value

Component: Application Visibility and Reporting

Symptoms:
In AVR pool-traffic report, 'server-concurrent-conns' reports a larger value than 'server-max-concurrent-conns'.

Conditions:
This is encountered when viewing the pool-traffic report.

Impact:
Incorrect stats reported in the pool-traffic report table

Workaround:
In /etc/avr/monpd/monp_tmstat_pool_traffic_measures.cfg, change the formula of server_concurrent_connections:

From this:
formula=round(sum(server_concurrent_conns),2)

Change it to this:
formula=round(sum(server_concurrent_conns)/count(distinct time_stamp),2)


902417-6 : Configuration error caused by Drafts folder in a deleted custom partition

Component: TMOS

Symptoms:
Error during config load due to custom partition associated Draft folder exists after deleting partition.

01070734:3: Configuration error: Can't associate folder (/User/Drafts) folder does not exist
Unexpected Error: Loading configuration process failed.

Conditions:
Create draft policy under custom partition

Impact:
Impacts the software upgrade.

Workaround:
Remove the Draft folder config from bigip_base.conf or use command "tmsh delete sys folder /User/Drafts" followed by "tmsh save sys config" after removing partition.


902401-1 : OSPFd SIGSEGV core when 'ospf clear' is done on remote device

Component: TMOS

Symptoms:
The ospfd process generates a core.

Conditions:
-- IA routes.
-- OSPF is in FULL/DR state.

Impact:
An OSPF daemon generates a core, potentially losing routing information and OSPF dynamic routes for a moment while the ospfd daemon restarts.

Workaround:
None.


902377-3 : HTML profile forces re-chunk even though HTML::disable

Component: Local Traffic Manager

Symptoms:
HTML profile performs a re-chunk even though HTML::disable has been executed in the HTTP_RESPONSE event.

Conditions:
Using HTML::disable in an HTTP_RESPONSE event.

Impact:
The HTML profile still performs a re-chunk.

Workaround:
None.


901989-1 : Boot_marker writes to /var/log/btmp

Component: TMOS

Symptoms:
The boot_marker is written to /var/log/btmp, but /var/log/btmp is a binary file.

A message similar to:

Apr 21 09:19:52 bigip1 warning sshd[10901]: pam_lastlog(sshd:session): corruption detected in /var/log/btmp

... may be logged to /var/log/secure.

Conditions:
-- Rebooting a BIG-IP.

Impact:
Since this file is unknowingly corrupt at first boot, any potential investigation needing this data may be compromised.

Workaround:
After bootup you can truncate the file.
$ truncate --size 0 /var/log/btmp


901985-7 : Extend logging for incomplete HTTP requests

Component: TMOS

Symptoms:
Logging is not triggered for incomplete HTTP requests.

Conditions:
- HTTP profile is configured.
- Request-log profile is configured.
- HTTP request is incomplete.

Impact:
Logging is missing for incomplete HTTP requests.

Workaround:
None.


901929-1 : GARPs not sent on virtual server creation

Component: Local Traffic Manager

Symptoms:
When a virtual server is created, GARPs are not sent out.

Conditions:
-- Creating a new virtual server.

Impact:
Traffic could be impacted if other systems have the virtual server address already in their ARP caches.

Workaround:
After creating the virtual server, disable and re-enable the ARP setting on the corresponding virtual address.


901669-5 : Error status in "show cm failover-status" after MGMT-IP change

Component: TMOS

Symptoms:
The "tmsh show cm failover-status" command shows failover connection status "Error" on one device, but manual failover is working properly.

Conditions:
-- Two or more devices configured with high availability (HA) and are in sync.
-- The management IP address is changed on one of the devices
--show cm failover-status" on peer. You will see "show cm failover-status" returns "Error" status.

Impact:
The tmsh show cm failover-status command indicates an error, even though the devices are in sync and failover communication is working.

Workaround:
tmsh restart sys service sod


901569-3 : Loopback traffic might get dropped when VLAN filter is enabled for a virtual server.

Component: Local Traffic Manager

Symptoms:
Loopback traffic (local traffic) destined to a virtual server might get dropped when the incoming packet matches a terminating connection flow.

Conditions:
-- VLAN filter is enabled on the virtual server created for loopback traffic processing.
-- An incoming packet matches a terminating connection flow (i.e., the connection flow terminates because of timeout, being dropped by iRule, etc.).

Impact:
Traffic that is matched against a terminating connection flow of a virtual is not processed by the virtual server.

Workaround:
Because this filter is ignored for loopback traffic, removing the 'Enabled On VLAN' filter at the virtual server mitigates the issue.


901061-1 : Safari browser might be blocked when using Bot Defense profile and related domains.

Component: Application Security Manager

Symptoms:
As a fix to ID879777 (https://cdn.f5.com/product/bugtracker/ID879777.html), when navigating to a related domain using Safari, requests might be blocked.

Conditions:
- Using Bot Defense profile, with "Cross Domain Requests" mode "Validate Upon Request"
- BIG-IP version containing fix of ID879777 (16.0 and higher or EngHF)
- Surfing the site using Safari browser.

Impact:
Some requests might be blocked.

Workaround:
None.


901041-2 : CEC update using incorrect method of determining number of blades in VIPRION chassis

Component: Traffic Classification Engine

Symptoms:
There is an issue with the script used for the Traffic Intelligence (CEC (Classification Engine Core)) Hitless Upgrade that misses installing on some blades during install/deploy on VIPRION systems.

Symptoms include:
-- POST error in the GUI.
-- Automatic classification updates are downloaded successfully, but downloaded packages disappear after some time if you do not proceed to install/deploy.

Conditions:
-- CEC hitless update.
-- Using VIPRION chassis.

Impact:
Unable to auto-update Classification signature package on all slots, because the slot count reported for CEC is 0. These packages are installed only on the current slot.

Workaround:
Install the package manually on each slot.

Note: When you refresh the GUI page, the downloaded package appears in the 'Available to Install' list, and you can proceed to install on each slot.


901033-4 : TCP::respond causing memory exhaustion issue when send buffer overwhelmed available TCP window

Component: Service Provider

Symptoms:
With increasing traffic on a virtual server with an iRule configured to send TCP::respond, iRules operate fine until some threshold is reached, after which memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed.

Conditions:
A specific threshold of data is reached. The threshold varies, depending on the memory available on the BIG-IP system.

Impact:
Memory usage continually increases even though the traffic level remains stable. This memory growth increases until the reaper is activated and connections are removed. A tmm core is observed. Traffic disrupted while tmm restarts.

Workaround:
None.


900933-3 : IPsec interoperability problem with ECP PFS

Component: TMOS

Symptoms:
IPsec tunnels fails to remain established after initially working.
 
On the first ESP Security Associations (SAs) establishment, an IPsec tunnel works. After the expiry of the SAs causes a re-key, the keys are calculated incorrectly by the BIG-IP system. The BIG-IP system sends ESP packets to the remote peer, but the remote peer cannot decrypt the packet. Likewise, the BIG-IP system cannot decrypt packets from the remote peer.

This may also immediately present as a problem when trying to establish a second tunnel to the same peer.

Conditions:
- IPsec IKEv2 tunnel.
- A remote peer that is not another BIG-IP system.
- Elliptic curve groups (ECP) is used for Perfect Forward Secrecy (PFS).

Impact:
Multiple IPsec tunnels to the same remote peer cannot be established concurrently, or tunnels fail after a period of time.

Workaround:
Do not use ECP for PFS.


900797-1 : Brute Force Protection (BFP) hash table entry cleanup

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IPs and usernames.
There is a separate hash table for each virtual server.
When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed.
This scenario may cause mitigated entries to keep getting removed from the hash table by new entries.

Conditions:
There is a separate hash table for each virtual server, and its size is controlled by the external_entity_hash_size internal parameter.
When it is set to 0, the size is determined automatically based on system memory.
Otherwise, it is the maximum size of the hash tables together, then divided into the number of virtual servers which have traffic and BFP enabled.
In case of the latter, there might be a chance that with too many virual servers the hash table may reach it's maximum capacity.

Impact:
Mitigated entries that keep getting removed from the hash table by new entries, may result in attacks not getting mitigated.

Workaround:
N/A


900789-1 : Alert before Brute Force Protection (BFP) hash are fully utilized

Component: Application Security Manager

Symptoms:
Brute Force Protection (BFP) uses a hash table to store counters of failed logins per IP addresses and usernames. There is a separate hash table for each virtual server. When the hash table is fully utilized and new entries need to be added, the LRU entry is being removed without logging a warning.

Conditions:
This can be encountered when Brute Force Protection is enabled and the hash table reaches its maximum capacity.

Impact:
No alert is sent when entries are evicted.

Workaround:
None.


900485-1 : Syslog-ng 'program' filter does not work

Component: TMOS

Symptoms:
The 'program' filter type does not work with the BIG-IP system's version of syslog-ng.

Conditions:
-- Using the 'program' expression in a syslog-ng filter.

Impact:
Unable to filter messages as expected.

Workaround:
None.


899933-1 : Listing property groups in TMSH without specifying properties lists the entire object

Component: TMOS

Symptoms:
When listing a property group, if you do not specify any specific properties within that group, the entire object is listed.

Conditions:
-- Using TMSH to list a property group of an object.
-- Not specifying any properties within the property group.

Impact:
Unexpected output.

Workaround:
None.


899253-1 : [GUI] GTM wideip-pool-manage in GUI fails when tens of thousands of pools exist

Component: Global Traffic Manager (DNS)

Symptoms:
Making changes to wide IP pools through GUI management do not take effect.

Conditions:
-- GTM configuration contains a sufficiently high number of pools (~ 15,000).
-- Using the GUI to assign a pool to a wide IP.

Impact:
Changes do not take effect. Unable to use the GUI to manage which pools are associated with a wide IP.

Workaround:
Use TMSH.


899097-3 : Existence of rewrite profile with HTTP profile response chunking mode 'sustain' always triggers client-side chunking

Component: TMOS

Symptoms:
When using the rewrite profile, unchunked server responses where content-type is not text/html or text/css also gets converted to chunked encoding in client-side. Also, the server response is missing a message-body (no content-type/content-length).

The client device receives 'Transfer-Encoding: chunked' in the message-header and receives a chunked body if the origin response has a message-body. The client receives a zero-length chunk if the origin response has no message-body.

Prior to BIG-IP version 15, chunking happens only if origin server response has content-type header set to either text/html or text/css.

Conditions:
- HTTP profile response chunking is set to 'sustain'.
- The virtual server has rewrite profile attached.
- Server response has content-type set not to text/html or text/css OR no content-type header.

Impact:
End users may notice a change in chunking behavior after upgrading from prior release.

Workaround:
Use response chunking mode 'unchunk'


899085-7 : Configuration changes made by Certificate Manager role do not trigger saving config

Component: TMOS

Symptoms:
Configuration changes made in the BIG-IP GUI by a user with role 'Certificate Manager' do not result in the configuration being saved.

If the system is rebooted (or MCPD restarted) without saving the configuration, those changes will be lost.

Conditions:
-- User with role 'Certificate Manager'.
-- Changes made in GUI.
-- System rebooted.

Impact:
Loss of configuration changes.

Workaround:
Users with a 'Certificate Manager' role can save the configuration from tmsh:
tmsh save /sys config

Alternately, another user can save the configuration.


898997-1 : GTP profile and GTP::parse iRules do not support information element larger than 2048 bytes

Component: Service Provider

Symptoms:
GTP message parsing fails and log maybe observed as below:

GTP:../modules/hudfilter/gtp/gtp_parser.c::242 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser_ver_2.c::153 (Failing here. ).
GTP:../modules/hudfilter/gtp/gtp_parser.c::103 (Failing here).

Conditions:
- GTP profile is applied to virtual or GTP::parse command is used
- GTP message contains IE (information element) which is larger than 2048 bytes

Impact:
- message parsing fails, traffic maybe interupted


898929-5 : Tmm might crash when ASM, AVR, and pool connection queuing are in use

Component: Local Traffic Manager

Symptoms:
TMM crashes and generates a core file.

Conditions:
-- System is provisioned for at least ASM, AVR, and LTM.
-- An LTM pool is configured to use connection queuing.
-- The LTM pool is used on a virtual server with an analytics profile.

Impact:
Tmm might crash. Traffic disrupted while tmm restarts.

Workaround:
Disable connection queuing on the pool.


898825-1 : Attack signatures are enforced on excluded headers under some conditions

Component: Application Security Manager

Symptoms:
Attack signatures are marked as detected when they should be marked as excluded (i.e., a false positive).

Conditions:
-- A 100-continue transaction occurs in HTTP.
-- The internal parameter answer_100_continue is set to a non-default value of 0.

Impact:
False positive enforcement for header signature.

Workaround:
Set the answer_100_continue to 1 (default) on versions later than 15.0.0.


898753-6 : Multicast control-plane traffic requires handling with AFM policies

Component: Local Traffic Manager

Symptoms:
AFM virtual-server specific rules are being matched against control-plane traffic.

Conditions:
-- Broadcast OSPF configured.
-- AFM provisioned.
-- OSPF neighbor configured.

Impact:
OSPF neighborship is not formed.

Workaround:
Add an AFM route-domain policy.


898741-1 : Missing critical files causes FIPS-140 system to halt upon boot

Component: Application Security Manager

Symptoms:
After activating a FIPS 140-2 license on a device and rebooting, the device fails to boot.

Conditions:
-- Device is licensed for FIPS 140 mode
-- A critical system file is missing

Impact:
System halts during boot because of sys-eicheck.py failure.

Workaround:
Prior to rebooting into FIPS 140-2 mode, ensure that there are no missing critical files by running the sys-eicheck command.

If the missing files are due to missing signature update files:

- Manually upload the missing images in System ›› Software Management : Live Update - this will ensure that the image is associated with an installation record.


898733-4 : SSL handshakes fail on secondary blades for Thales keys created with fipskey.nethsm after upgrade to 14.1.x and re-import of the keys from HSM

Component: Local Traffic Manager

Symptoms:
SSL handshakes intermittently fail for virtual servers using HSM keys.

In /var/log/ltm you see errors:
err pkcs11d[6575]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software with fipskey.nethsm wrapper, and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm wrapper.

3. The platform is a multi-bladed Viprion.

This can occur after applying the workaround for ID758491:
https://cdn.f5.com/product/bugtracker/ID758491.html

Impact:
SSL handshakes that arrive on the secondary blade(s) fail.

Handshakes arriving on the primary blade work fine.

Workaround:
Re-install the Thales client after the upgrade.


898705-6 : IPv6 static BFD configuration is truncated or missing

Component: TMOS

Symptoms:
-- When an IPv6 address used in the command 'ipv6 static <addr> <gateway> fall-over bfd' exceeds 19 characters, it gets truncated.

-- IPv6 static BFD configuration entries go missing during a daemon restart.

Conditions:
IPv6 static BFD configuration.

Impact:
The IPv6 static BFD configuration does not persist during reloads.

-- The long IPv6 addresses get truncated.
-- The configuration is removed upon daemon restart.

Workaround:
None.


898685-5 : Order of ciphers changes after updating cipher group

Component: Local Traffic Manager

Symptoms:
The order of cipher results may change with no modification in the cipher group.

Conditions:
Click 'Update' in a cipher group in the GUI without making any changes.

Impact:
The order of the ciphers changes. During a handshake, SSL/TLS may not be able to select ciphers in the preferred order.

Workaround:
Create a cipher rule with the preferred cipher order and include only a single rule in cipher group allow list.


898577-1 : Executing a command in "mgmt tm" using iControl REST results in tmsh error

Component: TMOS

Symptoms:
When you try to update the frequency of live-update using iControl REST, it results in a java exception being returned instead of updating the value.

Conditions:
When a command for updating the frequency of live updates is executed using iControl REST in an ASM configured BIG-IP.

Impact:
You are unable to update the frequency of live-update via iControl REST.


898461-1 : Several SCTP commands unavailable for some MRF iRule events :: 'command is not valid in current event context'

Component: TMOS

Symptoms:
The following SCTP iRule commands:

-- SCTP::mss
-- SCTP::ppi
-- SCTP::collect
-- SCTP::respond
-- SCTP::client_port
-- SCTP::server_port

Are unavailable in the following MRF iRule events:

-- GENERICMESSAGE_EGRESS
-- GENERICMESSAGE_INGRESS
-- MR_EGRESS
-- MR_INGRESS

Attempts to use these commands in these events result in errors similar to:

01070151:3: Rule [/Common/sctp_TC] error: /Common/sctp1: error: [command is not valid in current event context (GENERICMESSAGE_EGRESS)][SCTP::ppi 46].

Conditions:
-- Using MRF and SCTP.
-- Using the specified set of iRule commands within the listed iRule events.

Impact:
Unable to use these iRule commands within these iRule events.

Workaround:
None.


898333-1 : Avrd logs errors while DCD is restarting

Component: Application Visibility and Reporting

Symptoms:
Avrd logs an error to /var/log/avrd.log:

EXTERNAL_MESSAGES|ERROR|Mar 27 06:27:19.529|127|lib/avrpublisher/infrastructure/avr_http_connection.cpp:0117| Can't insert messages to queue - some external log will be lost!

Conditions:
-- The BIG-IP system is connected to the Data Collection Device (DCD), BIG-IQ.
-- DCD is going down.

Impact:
Avrd tries to reconnect, fails, and get stuck at some point for around 25 minutes. In the meantime the queue gets full and there are errors in avrd.log.

Workaround:
None.


898201-1 : Fqdn nodes are not getting populated after BIG-IP reboot when DNS server is accessed through a local virtual server.

Component: Local Traffic Manager

Symptoms:
After reboot, no access to services host using fqdn nodes.
-- fqdn nodes are not populated with IP addresses.
-- Unable to access virtual servers served by pools using fqdn nodes.

Conditions:
The issue happens after the BIG-IP is rebooted.
-- when DNS server is accessed through a local virtual server.
-- Single arm cloud BIG-IP with virtual server listening for DNS requests to redirect.

Impact:
-- FQDN DNS requests bypassing the listening virtual server.
-- Unable to access the pools of those configured fqdn nodes.

Workaround:
-- restarting dynconfd.
-- Running a script to trigger off "Tmm ready" and either delete the bad flow(s) or a specific connflow entry.
-- change the dummy dns server to be something in the same subnet as the single interface.


898093-3 : Removing one member from a WideIP removes it from all WideIPs.

Component: Global Traffic Manager (DNS)

Symptoms:
When you use the 'Remove' button to remove a member from a WideIP, the member is removed from all WideIPs.

Conditions:
Use the 'Remove' button.

Impact:
Unintended configuration changes via GUI.

Workaround:
Use the 'Manage' button, rather than the 'Remove' button.


897437-6 : First retransmission might happen after syn-rto-base instead of minimum-rto.

Component: Local Traffic Manager

Symptoms:
If a TCP profile is configured with a syn-rto-base value that is lower than minimum-rto, the first retransmission might happen after syn-rto-base.

This behavior is encountered only if the BIG-IP system is unable to compute the new RTO value before the retransmission timer expires, meaning:

-- The BIG-IP system has not received a packet with a TCP timestamp reply.
-- The BIG-IP system has not received an ACK for a timed sequence number.

Conditions:
Configured value of syn-rto-base is lower than minimum-rto.

Impact:
Retransmission might happen sooner than expected.

Workaround:
There are two possible workarounds:

-- Avoid using a syn-rto-base value that is lower than the minimum-rto value (the default values are 3 seconds for syn-rto-base and 1 second for minimum-rto).

-- Consider enabling timestamps to allow faster RTT measurement.


897185-4 : Resolver cache not using random port distribution

Component: Local Traffic Manager

Symptoms:
Outgoing queries to backend dns server use incremented port numbers instead of being distributed random ports.

Conditions:
-- Fix of ID726176 is applied (see https://cdn.f5.com/product/bugtracker/ID726176.html )

Impact:
The port numbers are incremented.


896817-1 : iRule priorities error may be seen when merging a configuration using the TMSH 'replace' verb

Component: TMOS

Symptoms:
When merging a configuration that modifies the list of iRules a virtual server uses, you may encounter an error similar to:

01070621:3: Rule priorities for virtual server (/Common/virtual1) must be unique.

Conditions:
-- Merging a configuration using the TMSH 'replace' verb.
-- Replacing a virtual server's iRule in a way that adjusts priorities of the iRules.

Impact:
Unable to replace configuration using TMSH's 'replace' verb.

Workaround:
None.


896693-5 : Patch installation is failing for iControl REST endpoint.

Component: TMOS

Symptoms:
iControl REST async endpoint /mgmt/tm/task/util/ihealth behaving inconsistently:

-- A call to VALIDATE the async task is rejected with the error message: 'Operation is not allowed on component /util/ihealth.'
-- The task can be started by calling a different endpoint (e.g., /mgmt/tm/task/cli/script). In this case, the task completes immediately, however, a qkview generating iHealth util is still running. At the end, the qkview is generated.

Conditions:
-- Use iControl REST to create an async task for creating qkview using 'ihealth' with -n option (just generate file, do not upload to iHealth).
-- Try starting the async task by changing the status to VALIDATING.

Impact:
Patch for iControl REST endpoint is not successful. Patch operation is accepted by /mgmt/tm/task/cli/script/ but rejected by /mgmt/tm/task/util/ihealth.

Workaround:
None.


896689-5 : Asynchronous tasks can be managed via unintended endpoints

Component: TMOS

Symptoms:
An asynchronous task created on one endpoint can be started using some other endpoint

Conditions:
Create an asynchronous task e.g. creating qkview using ihealth
using endpoint /mgmt/tm/task/util/ihealth

Gather the task id of the created asynchronous task and send it to a different endpoint e.g. /mgmt/tm/task/cli/script

Impact:
The asynchronous task can be started using this endpoint but this is not intended behavior.


896285-1 : No parent entity in suggestion to add predefined-filetype as allowed filetype

Component: Application Security Manager

Symptoms:
No parent entity appears in an ASM Policy Builder suggestion to add to the policy a predefined-filetype to the allowed filetypes list.

Conditions:
The issue is encountered when filetypes are configured with learning mode which allows new filetypes to be added to the policy. Relevant learning modes to this issue are: Always, Selective and Compact.

Impact:
No parent entity appears in the sugestion.

Workaround:
None.


896217-1 : BIG-IP GUI unresponsive

Component: TMOS

Symptoms:
When you try to log into the GUI via the management IP, you see only a single gray bar displayed in the middle of the window.

Conditions:
-- A GUI session expired while you were logged on.
-- The partition on which the GUI session expires is deleted.
-- You log on again.

Impact:
GUI becomes unresponsive.

Workaround:
Restart tomcat via SSH:
# bigstart restart tomcat


895837-4 : Mcpd crash when a traffic-matching-criteria destination-port-list is modified

Component: TMOS

Symptoms:
Virtual server configured with:

-- Destination address in a non-default route-domain, for example:
0.0.0.0%100/0

-- The configuration uses a destination port list.

Conditions:
Modify the virtual server's port-list to a different one.

Impact:
Mcpd generates a core, and causes services to restart and failover.

Workaround:
None.


895801-1 : Changing an MRF transport-config's TCP profile does not take effect until TMM is restarted

Component: Service Provider

Symptoms:
After modifying an MRF transport-config to use a different TCP profile, TMM must be restarted for this change to take effect. tmm crash

Conditions:
-- Using MRF with a transport-config.
-- Modifying the transport-config so that it uses a different TCP profile.

Impact:
Expected changes do not take effect until TMM is restarted.

Workaround:
Restart TMM.

Note: Traffic is disrupted while tmm restarts.


895205-1 : A circular reference in rewrite profiles causes MCP to crash

Component: Local Traffic Manager

Symptoms:
MCPD crash when modifying rewrite profile.

Conditions:
-- More than one rewrite profile is configured.
-- At least two rewrite profiles are referencing each other circularly.

Impact:
MCPD crash. For a Device Service Cluster this results in a failover. For a standalone system, this results in an outage.

Workaround:
Do not create circular references with profiles.


895165-1 : Traffic-matching-criteria with "any" protocol overlaps with explicit protocols

Component: Local Traffic Manager

Symptoms:
An error like the example below when defining "any" protocol after previously defining traffic-matching-criteria with explicit protocols.
01b90011:3: Virtual Server /Common/vs-tcp's Traffic Matching Criteria /Common/vs-tcp_IP_VS_TMC_OBJ illegally shares destination address, source address, service port, and ip-protocol with Virtual Server /Common/vs-any destination address, source address, service port.

Conditions:
-- Previously defining traffic-matching-criteria with explicit protocols
-- Afterwards defining virtual server with "any" protocol

Impact:
Cannot define a valid virtual server with "any" protocol

Workaround:
N/A


894081-1 : The Wide IP members view in the WebUI may report the incorrect status for a virtual server.

Component: Global Traffic Manager (DNS)

Symptoms:
A virtual server which is actually down and should show red is reported as up and shows green.

Conditions:
This issue happens when a virtual server is marked down by the system due to inheriting the status of its parent link.

Note: This issue only affects Link Controller systems, and not DNS/GTM systems.

Impact:
The WebUI cannot be used to reliably assess the status of Wide IP members (virtual servers).

Workaround:
Use the tmsh utility in one of the following ways to inspect the status of Wide IP members:

# tmsh show gtm pool a members

# tmsh show gtm server virtual-servers


893905-1 : Wrong redirect from Charts to Requests Log when request status selected in filter

Component: Application Security Manager

Symptoms:
Incorrect filter applied when you are redirected from Charts page to Requests Log.

Conditions:
Select request status in filter in Charts page and apply filter and then click View Requests on the bottom of Charts page.

Impact:
Filter not applied in Requests Log page after redirect.

Workaround:
Filter can be applied manually after redirect.
There is mismatch between AVR request types and ASM request statuses, e.g., Blocked in AVR includes Unblocked as well.


893885-4 : The tpm-status command returns: 'System Integrity: Invalid' after HotFix installation

Component: TMOS

Symptoms:
The tpm-status command incorrectly reports system integrity status as 'Invalid' even when system software is not modified.

Conditions:
-- BIG-IP software v14.1.0 or later version.
-- EHF installed on TPM-supported BIG-IP platform.

Impact:
Incorrect presentation of system software status.

Workaround:
None.


893813-4 : Modifying pool enables address and port translation in TMUI

Component: TMOS

Symptoms:
When modifying the pool for a virtual server, address translation and port translation checkboxes are enabled irrespective of their initial state.

Conditions:
-- Creating a virtual server using the GUI
-- Advanced Configuration is selected
-- Address Translation or Port Translation checkboxes are initially unchecked
-- You modify a pool from this screen

Impact:
Virtual server is created with address and port translation enabled.

Workaround:
You can disable it by again editing the virtual server.


893341-4 : BIG-IP VE interface is down after upgrade from v13.x w/ workaround for ID774445

Component: TMOS

Symptoms:
You have BIG-IP Virtual Edition (VE) v13.1.x affected with ID 774445, and its workaround is in place.

 echo "device driver vendor_dev 15ad:07b0 unic" >> /config/tmm_init.tcl

After upgrading to a newer version, interfaces are down.

Conditions:
-- Virtual Edition environment affected by the ID774445.
-- Apply the workaround described in in Final - K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later) :: https://support.f5.com/csp/article/K74921042.

Impact:
Interfaces are down.

Workaround:
1. Edit the /config/tmm_init.tcl file to remove the following line:
device driver vendor_dev 15ad:07b0 unic

2. Reboot into into the new software version.

3.Restart TMM:
tmsh restart sys service tmm


893281-2 : Possible ssl stall on closed client handshake

Component: Local Traffic Manager

Symptoms:
If a client connection closes before finishing client ssl handshake, in some cases BIG-IP ssl does not close and connection remains until idle timeout.

Conditions:
Client ssl handshake and client FIN must arrive while BIG-IP server ssl finished is in crypto.

Impact:
Some ssl client connection remain until idle timeout.


893093-1 : An extraneous SSL CSR file in the /config/big3d or /config/gtm directory can prevent certain sections in the WebUI from showing.

Component: TMOS

Symptoms:
The intended screen does not show when you navigate in the WebUI to either of the following locations:

-- System :: Certificate Management :: Device Certificate Management->Device Trust Certificates

-- DNS :: GSLB :: Servers :: Trusted Server Certificates

The system returns the following error:

An error has occurred while trying to process your request.

Additionally, a Java stack trace is also logged to the /var/log/tomcat/catalina.out file.

Conditions:
An extraneous SSL CSR file is present in the /config/big3d or /config/gtm directory.

-- When the extraneous file is in the /config/big3d directory, the System :: Certificate Management :: Device Certificate Management :: Device Trust Certificates screen is affected.

-- When the extraneous file is in the /config/gtm directory, the DNS :: GSLB :: Servers :: Trusted Server Certificates screen is affected.

Impact:
The WebUI cannot be used to inspect those particular SSL certificate stores.

Workaround:
The /config/big3d and /config/gtm directories are meant to contain only one file each (client.crt and server.crt, respectively).

You can resolve this issue by inspecting those directories and removing any file that may have been accidentally copied to them.

For more information on those directories, refer to: K15664: Overview of BIG-IP device certificates (11.x - 15.x) :: https://support.f5.com/csp/article/K15664.


893061-4 : Out of memory for restjavad

Component: Application Security Manager

Symptoms:
REST framework not available due to Out of memory error

Conditions:
Long list of Live Update installations

Impact:
Live Update GUI is not responding.

Workaround:
1) Increase memory assigned to the Linux host: (value dependant on platform)

# tmsh modify sys db provision.extramb value 1000

2) Allow restjavad to access the extra memory:

# tmsh modify sys db restjavad.useextramb value true

3) Save the config:

# tmsh save sys config

4) The re-provisioning will trigger a restart of the services. Wait until the unit is online again.

5) Increase the restjavad maxMessageBodySize property:

# curl -s -f -u admin: -H "Content-Type: application/json" -d '{"maxMessageBodySize":134217728}' -X POST http://localhost:8100/mgmt/shared/server/messaging/settings/8100 | jq .
{
  "maxMessageBodySize": 134217728,
  "localhostRestnodedConnectionLimit": 8,
  "defaultEventHandlerTimeoutInSeconds": 60,
  "minEventHandlerTimeoutInSeconds": 15,
  "maxEventHandlerTimeoutInSeconds": 60,
  "maxActiveLoginTokensPerUser": 100,
  "generation": 6,
  "lastUpdateMicros": 1558012004824502,
  "kind": "shared:server:messaging:settings:8100:restservermessagingpoststate",
  "selfLink": "https://localhost/mgmt/shared/server/messaging/settings/8100"
}

Ensure the command returns output showing the limit has been increased (as shown above).

6) Reboot the unit.


892801-1 : When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent"

Component: Local Traffic Manager

Symptoms:
When an Internal Virtual Server is created without an existing 0.0.0.0 virtual address, it will have the state "disabled-by-parent".

Conditions:
-- An Internal Virtual Server is created without an existing 0.0.0.0 virtual address.

Impact:
The Internal Virtual Server will be considered unavailable and will not process traffic.

Workaround:
Create a 0.0.0.0 virtual address prior to creating the Internal Virtual Server.


892677-6 : Loading config file with imish adds the newline character

Component: TMOS

Symptoms:
While loading configuration from the file with IMISH ('imish -f <f_name>'), the newline character gets copied at the end of each line which causes problems with commands containing regex expressions.

In particular, this affects the bigip_imish_config Ansible module.

Conditions:
Loading a config with 'imish -f <f_name>' commands.

Note: This command is used with the bigip_imish_config Ansible module.

Impact:
Regex expressions are not created properly.

Workaround:
You can use either of the following workarounds:

-- Delete and re-add the offending commands using the imish interactive shell.

-- Restart tmrouted:
bigstart restart tmrouted


892653-4 : Unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI

Component: Application Security Manager

Symptoms:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Conditions:
This is encountered when configuring the Splunk Logging Format in the GUI

Impact:
You are unable to define Maximum Query String Size and Maximum Request Size fields for Splunk Logging Format in the GUI.

Workaround:
Use tmsh to define the maximum query string size and maximum request size. For more information, see the tmsh command reference for the security log profile at https://clouddocs.f5.com/cli/tmsh-reference/v14/modules/security/security-log-profile.html


892485-3 : A wrong OCSP status cache may be looked up and re-used during SSL handshake.

Component: Local Traffic Manager

Symptoms:
A wrong OCSP status entry in SessionDB is returned during a cache lookup due to using a wrong input parameter - certificate serial number. The result is wrong OCSP status is used in the SSL handshake.

Conditions:
If OCSP object is configured in a clientSSL or serverSSL profile.

Impact:
A wrong OCSP status may be reported in the SSL handshake.


892445-1 : BWC policy names are limited to 128 characters

Component: TMOS

Symptoms:
A 128-character limit for BWC policy object names is enforced and reports an error:

01070088:3: The requested object name <name> is invalid.

Conditions:
Attempting to create a BWC policy object with a name longer than 128 characters.

Impact:
Unable to create BWC policy objects with names that have more than 128 characters.

Workaround:
Use fewer than 128 characters when creating a BWC policy.


892385-5 : HTTP does not process WebSocket payload when received with server HTTP response

Component: Local Traffic Manager

Symptoms:
WebSocket connection hangs on the clientside if the serverside WebSocket payload is small and received in the same TCP packet with server HTTP response.

Conditions:
-- Virtual contains HTTP and WebSocket filters.
-- HTTP response and a small WebSocket payload is received in the same TCP packet from the server.
-- Small WebSocket payload is not delivered on the clientside.

Impact:
-- WebSocket connection hangs.

Workaround:
None.


891729-1 : Errors in datasyncd.log

Component: Fraud Protection Services

Symptoms:
An error exists in datasyncd.log:
DATASYNCD|ERR |Mar 13 12:47:54.079|16301| datasyncd_main.c:1955|tbl_gen_state_machine: cannot start the generator for table CS_FPM

Conditions:
Upgrades from version 13.x to 14.0.0 or higher.

Impact:
FPS has a maximum of ~990 rows instead of 1001, and there are errors in datasyncd.log. However, the upgrade completes normally, and the system operates as expected.

Workaround:
These are benign error messages that you can safely ignore. Upgrade completes successfully, and the system operates as expected.

If you prefer, however, you can perform a clean install instead instead of upgrading. This has an impact on your configuration, as that information will be lost when you do a clean install.


891613-2 : RDP resource with user-defined address cannot be launched from webtop with modern customization

Component: Access Policy Manager

Symptoms:
RDP resource with a user-defined address cannot be launched from the webtop when configured with modern customization.

After requesting the RDP file for a remote address, the RDP file fails to download and the system reports an error message:

Logon failed. Connection to your resource failed. Please click the Try Again button to try again or Close button to close this dialog.

Conditions:
-- Webtop with modern customization.
-- RDP resource with a user-defined address is assigned to the webtop.

Impact:
Cannot use remote desktop resource with user-defined addresses.

Workaround:
As the problem is with modern access policy with modern webtop, a quick workaround:

1. Create a standard access policy with standard webtop (it is similar to modern access policy and modern webtop):

-- 1.1 GUI: Access :: Profiles / Policies :: Create :: {choose Customization Type as 'Standard').
-- 1.2 GUI: Access :: Webtops :: Create :: {choose Customization Type as 'Standard').

Recreate similar access policy as modern access policy that is showing this problem.

If manually re-creating similar standard access policy is not possible, there is no workaround.


891385-1 : Add support for URI protocol type "urn" in MRF SIP load balancing

Component: Service Provider

Symptoms:
MRF SIP load balancing does not support the urn URI protocol type.

Conditions:
-- Using MRF SIP in LB mode.
-- Clients are using the urn protocol type in their URIs.

Impact:
SIP messages with urn URIs are rejected.


891373-1 : BIG-IP does not shut a connection for a HEAD request

Component: Local Traffic Manager

Symptoms:
When an HTTP request contains the 'Connection: close' header, the BIG-IP system shuts the TCP connection down. If a virtual server has a OneConnect profile configured, the BIG-IP system fails to close the connection for HEAD requests disregarding a client's demand.

Conditions:
-- A virtual server has HTTP and OneConnect profiles.
-- An HTTP request has the method HEAD and the header 'Connection: close'.

Impact:
Connection remains idle until it expires normally, consuming network resources.

Workaround:
None.


891221-1 : Router bgp neighbor password CLI help string is not helpful

Component: TMOS

Symptoms:
Unable to confirm the supported encryption types.

enable or add BGP routing prorotol to a route domain
imish >> enable >> conf t >> router bgp 20065004 >> neighbor 1.2.3.4 password ?

b7000.lab[0](config-router)#neighbor 1.1.1.1 password ?
  WORD Encryption Type or the password

Conditions:
Configuring the bgp neighbor with encryption password.

Impact:
Unable to confirm the supported encryption types.

Workaround:
None.


891181-1 : Wrong date/time treatment in logs in Turkey/Istambul timezone

Component: Application Security Manager

Symptoms:
There is mismatch between server and GUI timezone treatment for Turkey/Istambul timezone.

Conditions:
User sets Turkey/Istambul timezone on BIG-IP

Impact:
When filtering logs by time period, results differ from set period by an hour

Workaround:
Define time period one hour earlier for filtering ASM logs


891145-6 : TCP PAWS: send an ACK for half-open connections that receive a SYN with an older TSVal

Component: Local Traffic Manager

Symptoms:
SYNs received with TSVal <= TS.Recent are dropped without sending an ACK in FIN-WAIT-2 state.

Conditions:
-- Timestamps are enabled in TCP profile.
-- Local TCP connection is in FIN-WAIT-2 state.
-- Remote TCP connection abandoned the flow.
-- A new TCP connection sends a SYN with TSVal <= TS.Recent to the local connection.

Impact:
The new TCP connection cannot infer the half-open state of Local TCP connections, which prevents faster recovery of half-open connections. The local TCP connection stays around for a longer time.

Workaround:
There are two workarounds:

-- Reduce the Fin Wait 2 timeout (the default: 300 sec) so that TCP connection is terminated sooner.

-- Disable TCP Timestamps.


890825-1 : Attack Signatures and Threat Campaigns filter incorrect behaviour

Component: Application Security Manager

Symptoms:
When removing not last selected values in Systems or Tags filter, last one is removed.

Conditions:
Select several values in Systems or Tags filter and then remove not the last value.

Impact:
Filter incorrectly displayed.

Workaround:
None.


890277-4 : Full config sync to a device group operation takes a long time when there are a large number of partitions.

Component: TMOS

Symptoms:
When a full config sync is done to a device group with large number of partitions:
-- The config sync operation takes a long time to complete.
-- There is a spike in CPU usage on the device where config push is initiated.
-- The mcpd daemon is unresponsive to other daemons, such tmsh, GUI etc., as it is busy pushing the config sync.
-- iQuery connections are terminated due to high CPU utilization.

Conditions:
Full config sync on device with large number of partitions.

Impact:
The operation takes a long time to complete, minutes on a BIG-IP Virtual Edition (VE) configurations, and varies by platform and the size of the configuration. For example, config sync on a medium BIG-IP VE setup running v15.1.0.1 with 512 partitions takes ~3 minutes.

Impedes management of device as well as terminates iQuery connections to GTM/DNS devices.

Workaround:
Enable Manual Incremental Sync.


889165-4 : "http_process_state_cx_wait" errors in log and connection reset

Component: Local Traffic Manager

Symptoms:
Large POST requests are getting occasionally reset and you see the following in /var/log/ltm:

err tmm[19279]: 011f0007:3: http_process_state_cx_wait - Invalid action:0x100011 clientside

Conditions:
-- An HTTP iRule is configured on a virtual server
-- A large POST request arrives on the virtual server

Impact:
Possible connection failure.


889029-1 : Unable to login if LDAP user does not have search permissions

Component: TMOS

Symptoms:
A user is unable to log in using remote LDAP.

Conditions:
-- BIG-IP systems are configured to use LDAP authentication.
-- Remote user has no search permissions on directory

Impact:
Authentication does not work.

Workaround:
Grant search permissions to the user in LDAP.


888869-1 : GUI reports General Database Error when accessing Instances Tab of SSL Certificates

Component: TMOS

Symptoms:
A General Database Error message is shown when you click the Instances tab of a certificate bundle / certificate / Key listed under the System :: Certificate Management : Traffic Certificate Management : SSL Certificate List.

Conditions:
-- The selected SSL Certificate does not have a certificate or key listed under it.
-- You click the instances tab of the properties page of the SSL Certificate.

Impact:
GUI shows an error screen.

Workaround:
Avoid clicking the instance tab if there is no key or certificate associated with the SSL Certificate / Bundle.


888341-8 : HA Group failover may fail to complete Active/Standby state transition

Component: TMOS

Symptoms:
After a long uptime interval (i.e., the sod process has been running uninterrupted for a long time), HA Group failover may not complete despite an HA Group score change occurring. As a result, a BIG-IP unit with a lower HA Group score may remain as the Active device.

Note: Uptime required to encounter this issue is dependent on the number of traffic groups: the more traffic groups, the shorter the uptime, e.g.:

-- 1 floating traffic group: 2485~ days.
-- 2 floating traffic groups: 1242~ days.
-- 4 floating traffic groups: 621~ days.
-- 8 floating traffic groups: 310~ days.
-- 9 floating traffic groups: 276~ days.

Note: You can confirm sod process uptime in tmsh:

# tmsh show /sys service sod

Conditions:
HA Group failover configured.

Note: No other failover configuration is affected except for HA Group failover, specifically, these are not affected:

 o VLAN failsafe failover.
 o Gateway failsafe failover.
 o Failover triggered by loss of network failover heartbeat packets.
 o Failover caused by system failsafe (i.e., the tmm process was terminated on the Active unit).

Impact:
HA Group Active/Standby state transition may not complete despite HA Group score change.

Workaround:
There is no workaround.

The only option is to reboot all BIG-IP units in the device group on a regular interval. The interval is directly dependent on the number of traffic groups.


888289-7 : Add option to skip percent characters during normalization

Component: Application Security Manager

Symptoms:
An attack signature is not detected.

Conditions:
-- The payload is filled with the percent character in between every other character.
-- The bad unescape violation is turned off.
-- The illegal metacharacter violation is turned off.

Impact:
An attack goes undetected.

Workaround:
Turn on the bad unescape violation or the metacharacter violation.


888081-5 : BIG-IP VE Migration feature fails for 1NIC

Component: TMOS

Symptoms:
When a saved UCS is attempted to be restored in a new BIG-IP Virtual Edition (VE) in order to migrate the configuration, it fails.

load_config_files[28221]: "/usr/bin/tmsh -n -g -a load sys config partitions all " - failed. -- 01071412:3: Cannot delete IP (x.x.x.x) because it is used by the system config-sync setting.

Conditions:
The UCS load step might fail if the DB variable Provision.1NicAutoconfig is set to disable.

Impact:
The UCS restore fails.

Workaround:
The DB variable can be set to enable before loading the UCS.

# tmsh modify sys db provision.1nicautoconfig value enable


887625-4 : Note should be bold back, not red

Component: Application Security Manager

Symptoms:
Under Session Hijacking :: Device Session Hijacking by Device ID Tracking, the note text below the 'enable' checkbox is shown in bold red color

Note : Device-ID mode must be configured in bot profile for this option to work.

Conditions:
This always occurs.

Impact:
The Note does not indicate a hazardous situation (as might be implied by the color), so the text should be black instead of red.

Workaround:
None.


887621-3 : ASM virtual server names configuration CRC collision is possible

Component: Application Security Manager

Symptoms:
A policy add/modify/delete fails with the following error:

-- crit g_server_rpc_handler_async.pl[19406]: 01310027:2: ASM subsystem error (asm_config_server.pl ,F5::ASMConfig::Handler::log_error_and_rollback): Failed on insert to DCC.VS_RAMCACHE (DBD::mysql::db do failed: Duplicate entry '375946375' for key 'PRIMARY').

Conditions:
This can occur when adding a policy. The chance of it occurring increases when there are many virtual servers.

Impact:
Every config update fails.

Workaround:
Figure out which virtual servers have the CRC collision (by looking into DCC.RAMCACHE_VS). Change the name of one of these virtual servers.

You can get the name of the affected virtual server by using the entry reported in the 'Duplicate entry' log, and running this command.

mysql -u root -p$(perl -MPassCrypt -nle 'print PassCrypt::decrypt_password($_)' /var/db/mysqlpw) -e 'SELECT * FROM DCC.VS_RAMCACHE WHERE vs_name_crc = 375946375'


887609-6 : TMM crash when updating urldb blacklist

Component: Traffic Classification Engine

Symptoms:
TMM crashes after updating the urldb blacklist.

Conditions:
-- The BIG-IP system is configured with URL blacklists.
-- Multiple database files are used.

Impact:
TMM restarts. Traffic disrupted while tmm restarts.

Workaround:
None.


887265-3 : BIG-IP may fail to come online after upgrade with ASM and VLAN-failsafe configuration

Component: Application Security Manager

Symptoms:
When booting to a boot location for the first time, the system does not come on-line.

Conditions:
-- There is a large ASM configuration.
-- VLAN failsafe is configured, and the failsafe-action is something other than failover.
-- The BIG-IP system is an appliance.

Impact:
BIG-IP processes continually restart (vlan failsafe-action failover-restart-tm) or the BIG-IP system continually reboots (vlan failsafe-action reboot)

Workaround:
Either disable VLAN failsafe or set the failsafe-action to failover during an upgrade.


887117-3 : Invalid SessionDB messages are sent to Standby

Component: TMOS

Symptoms:
SessionDB messages sent from Active to Standby are dropped due to inconsistencies detected in the message. You see logs in /var/log/ltm:

SessionDB ERROR: received invalid or corrupt HA message; dropped message.

Conditions:
-- High availability (HA) pair configuration.
-- SessionDB messages sent from Active to Standby.

Impact:
Standby drops these messages

Workaround:
None.


887089-2 : Upgrade can fail when filenames contain spaces

Component: TMOS

Symptoms:
Filenames with spaces in /config directory can cause upgrade/UCS load to fail because the im upgrade script that backs up the config, processes the lines in a file spec using white space characters. The number of spaces in the filename is significant because it determines how the process separates the name into various fields, including a path to the file, an md5sum, and some file properties (notably size). If the path contains white space, when the upgrade/UCS load process attempts to use a field, the operation encounters a value other than what it expects, so the upgrade/UCS load fails.

The file's content is also significant because that determines the md5sum value.

Although rarely occurring, a tangential issue exists when the sixth word is a large number. The sixth field is used to determine the amount of space needed for the installation. When the value is a very large number, you might see an error message at the end of the upgrade or installation process:

Not enough free disk space to install!

Conditions:
Filenames with spaces in /config directory.

Impact:
Upgrade or loading of UCS fails.

Workaround:
Remove the spaces in filenames and try the upgrade/UCS load again.


887045-2 : The session key does not get mirrored to standby.

Component: Local Traffic Manager

Symptoms:
When a session variable key length is 65 KB, session mirroring fails for that specific key.

Conditions:
-- APM high availability (HA) setup.
-- Access Policy is configured and synced across both devices.
-- A session variable key of ~65 KB arrives

Impact:
The session key does not get mirrored to standby.

Workaround:
None


886693-4 : System may become unresponsive after upgrading

Component: TMOS

Symptoms:
After upgrading, the system encounters numerous issues:

-- Memory exhaustion (RAM plus swap) with no particular process consuming excessive memory.
-- High CPU usage with most cycles going to I/O wait.
-- System is unresponsive, difficult to log in, slow to accept commands.
-- Provisioning is incomplete; there is a small amount of memory amount assigned to 'host' category.

Conditions:
-- The configuration works in the previous release, but does not work properly in the release you are upgrading to.
-- Device is upgraded and the configuration is rolled forward.
-- There may be other conditions preventing the configuration from loading successfully after an upgrade.

Exact conditions that trigger this issue are unknown. In the environment in which it occurred, a datagroup had been deleted, but an iRule was still referencing it, see https://cdn.f5.com/product/bugtracker/ID688629.html

Impact:
-- System down, too busy to process traffic
-- Difficulty logging in over SSH might require serial console access.

Workaround:
Reboot to an unaffected, pre-upgrade volume.

-- If the system is responsive enough, use 'tmsh reboot volume <N>' on BIG-IP Virtual Edition (VE) or switchboot to select an unaffected volume.

-- If the system is completely unresponsive, physically powercycle a physical appliance or reboot a VE from an applicable management panel, then select an unaffected volume from the GRUB menu manually.

Note: This requires that you have console access, or even physical access to the BIG-IP device if you are unable to SSH in to the unit. On a physical device, a non-responsive system might require that you flip the power switch. For more information, see K9296: Changing the default boot image location on VIPRION platforms :: https://support.f5.com/csp/article/K9296, K5658: Overview of the switchboot utility :: https://support.f5.com/csp/article/K5658, and K10452: Overview of the GRUB 0.97 configuration file :: https://support.f5.com/csp/article/K10452.


886689-7 : Generic Message profile cannot be used in SCTP virtual

Component: TMOS

Symptoms:
When creating virtual server or transport config containing both SCTP and Generic Message profile, it will fail with an error:

01070734:3: Configuration error: Profile(s) found on /Common/example_virtual that are not allowed: Only (TCP Profile, SCTP Profile, DIAMETER Profile, Diameter Session Profile, Diameter Router Profile, Diameter Endpoint, SIP Profile, SIP Session Profile, SIP Router Profile, DoS Profile, profile statistics)

Conditions:
Create virtual server or transport config which contains both SCTP and Generic Message profile.

Impact:
You are unable to combine the Generic Message profile with the SCTP profile.


886649-1 : Connections stall when dynamic BWC policy is changed via GUI and TMSH

Component: TMOS

Symptoms:
Connections stall when dynamic BWC policy is changed via GUI and TMSH.

Conditions:
Issue is seen when you have a dynamic bandwidth control policy configured, and you make a change to the policy via the GUI and TMSH.

Impact:
Connection does not transfer data.

Workaround:
Restart TMM. Delete the relevant configuration, create a new configuration, and apply it.


886273-4 : Unanticipated restart of TMM due to heartbeat failure

Component: TMOS

Symptoms:
A tmm thread might stall while yielding the CPU, and trigger a failsafe restart of the tmm process.

Conditions:
This occurs on appliance platforms (i.e., non-VIPRION platforms).

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None known.


886145-1 : The 'Reconnect' and 'Reconnect All' buttons do not work if reached via a particular section of the DNS WebUI.

Component: Global Traffic Manager (DNS)

Symptoms:
The 'Reconnect' and 'Reconnect All' buttons (introduced in BIG-IP version 14.1.0 to restart some or all iQuery connections) do not work when clicked.

The 'Reconnect' button does not become enabled when a server is selected from the list, and an error is logged in the browser console.

The 'Reconnect All' button is clickable but returns the error "No response action specified by the request" when clicked.

Conditions:
You have accessed the buttons via the following WebUI path:

DNS > GSLB > Data Centers > [dc name] > Servers

Impact:
The buttons do not work, making the corresponding feature unavailable from the WebUI.

Workaround:
Access the buttons via the following alternative WebUI path:

DNS > GSLB > Servers


886045-1 : Multi-NIC instances fail to come up when trying to use memory-mapped virtio device

Component: Local Traffic Manager

Symptoms:
Multi-NIC instances fail to come up while using memory-mapped virtio device.

Running the command 'lspci -s <pci-id> -vv' results in the 'region' field reporting 'Memory at xxxxx'.

Conditions:
TMM crashes as soon as the BIG-IP system tries to come up.

Impact:
The BIG-IP system fails to attach to the underlying virtio devices.

Workaround:
Switch to the sock driver by overriding tmm_init.tcl.

For instructions on how to enable the sock driver, see the workaround in K74921042: BIG-IP VE may fail to process traffic after upgrading the VMware ESXi 6.7 host to Update 2 (or later), available at https://support.f5.com/csp/article/K74921042.


885325-1 : Stats might be incorrect for iRules that get executed a large number of times

Component: Local Traffic Manager

Symptoms:
iRules that execute a lot can make stats counters large enough to overflow in a relatively short amount of time (e.g., a couple of months).

Conditions:
Execute an iRule a lot (e.g., make the total number of executions greater than 32 bits) and check its stats.

Impact:
After the total number exceeds 32 bits, the counter stats are no longer valid.

Workaround:
None.


884729-1 : The vCMP CPU usage stats are incorrect

Component: TMOS

Symptoms:
The vCMP CPU usage stats are incorrect when process on a secondary blade has the same PID as that of primary blade's qemu process.

Conditions:
A process on a secondary blade has the same PID as that of primary blade's qemu process.

Impact:
The vCMP CPU usage stats are intermittently incorrect.

Workaround:
None.


883577-5 : ACCESS::session irule command does not work in HTTP_RESPONSE event

Component: Access Policy Manager

Symptoms:
When ACCESS::session irule is used in HTTP_RESPONSE event, the APM session creation fails with the following log in /var/log/ltm

No HTTP data available - command unsupported in event (line XX)session creation failed - Operation not supported (line XX)

Conditions:
Using ACCESS::session create command under HTTP_RESPONSE.

Impact:
Cannot create APM session using the ACCESS::session irule command.

Workaround:
The same irule ACCESS::session can be used under HTTP_REQUEST to create the APM session.


883149-2 : The fix for ID 439539 can cause mcpd to core.

Component: TMOS

Symptoms:
Mcpd cores during config sync.

Conditions:
This has only been observed once. The device was going from standby to active, and the connection between the BIG-IP peers stalled out.

Impact:
Mcpd cores. Traffic disrupted while mcpd restarts.

Workaround:
NA


883049-1 : Statsd can deadlock with rrdshim if an rrd file is invalid

Component: Local Traffic Manager

Symptoms:
-- RRD graphs are not updated.
-- System statistics are stale.
-- Commands such as 'tmsh show sys memory' may not complete.
-- qkview does not complete, as it runs "tmsh show sys memory'.

You may see errors:

-- err statsd[5005]: 011b0600:3: Error ''/var/rrd/endpisession' is too small (should be 15923224 bytes)' during rrd_update for rrd file '/var/rrd/endpisession'.
-- err statsd[5005]: 011b0600:3: Error '-1' during rrd_update for rrd file '/var/rrd/endpisession'.

Conditions:
Truncation of a binary file in /var/rrd.

Impact:
Stats are no longer collected. Statsd and rrdshim deadlock.

Workaround:
Remove the truncated file and restart statsd:
bigstart restart statsd


882833-1 : SELinux issue cause zrd down

Component: TMOS

Symptoms:
After upgrading BIG-IP software, zrd fails to start.

There are errors in /var/log/daemon.log:

err named[19356]: open: /config/named.conf: permission denied

Conditions:
This can occur after upgrading, for example, when upgrading from version 14.1.0.6 to 15.0.1.1.

Impact:
DNS service disrupted as zrd fails to start after reboot.

Workaround:
Run the following command after upgrading:

restorecon -rF /var/named/


882713-2 : BGP SNMP trap has the wrong sysUpTime value

Component: TMOS

Symptoms:
The timestamp value of sysUpTime in SNMP traps reported by BGP is incorrect.

Conditions:
BGP connection with a peer flaps, and sends traps for the following:
bgpSnmpNotifyEstablished
bgpSnmpNotifyBackwardTransition

Impact:
The sysUpTime in the trap generated by BGP is incorrect.

Workaround:
None.


882709-5 : Traffic does not pass on tagged VLANs on VE configured on Hyper-V hypervisors in this release

Component: TMOS

Symptoms:
In this release, traffic does not pass on tagged VLANs when a BIG-IP Virtual Edition (VE) is deployed on a Hyper-V hypervisor.

This may manifest as traffic failing after an upgrade from earlier (unaffected) software versions.

Note: This functionality worked as expected in v13.x and earlier, and if the same VE is downgraded to v13.x, VLAN tagging functionality is restored.

This is due to an interoperability issue between RedHat Enterprise Linux (RHEL) and Microsoft Hyper-V, which seems to affect RHEL v7.3 and RHEL v7.5.

Hyper-V on Windows Server 2016 and Windows Server 2012 do not seem to identify the version of the built-in LIS correctly on Centos 7.3 or Centos 7.5 (which are built on RHEL 7.3 and RHEL 7.5 respectively).

Although there is a statement of support by Microsoft for VLAN tagging on RHEL 7.3 and 7.5 when running on Hyper-V, that functionality does not appear to work at present: Supported CentOS and Red Hat Enterprise Linux virtual machines on Hyper-V :: https://docs.microsoft.com/en-us/windows-server/virtualization/hyper-v/Supported-CentOS-and-Red-Hat-Enterprise-Linux-virtual-machines-on-Hyper-V.

Conditions:
-- BIG-IP VE is deployed on a Hyper-V hypervisor.
-- VLAN configured in BIG-IP VE with tagged interfaces, e.g.:

    net vlan external {
        interfaces {
            1.1 {
                tagged
            }
        }
        tag 4000
    }

-- At present, VLAN tagging on the v14.x and v15.x releases does not work because those releases are running on CentOS 7.3 and 7.5 respectively, which both are affected by the MS/RHEL interoperability issue.

-- BIG-IP v12.x and v13.x use a different (older) CentOS version, so VLAN tagging works without issue on those releases.

Impact:
-- The system does not prevent you from configuring tagged VLANs, even though they do not pass traffic.

-- Although upgrades complete and you can reboot into the new boot location (or you can set up on Hyper-V from scratch), traffic does not pass (into the guest) across VLANs that are tagged.

Important: If using tagged VLANs on VE setups on Hyper-V is critical to your configuration, you might want to elect to postpone upgrading from a working, v12.x and v13.x release.

Workaround:
Essentially, there is no workaround in this release; you must reconfigure the virtual machine to use separate, untagged interfaces for each VLAN.

Note: Although this is technically a problem between Hyper-V and the built-in LIS on RHEL 7.3/7.5, this issue is being tracked internally in this bug.


882609-2 : ConfigSync status remains 'Disconnected' after setting ConfigSync IP to 'none' and back

Component: TMOS

Symptoms:
After setting a device's ConfigSync IP to 'none' and then back to an actual IP address, the device remains in a disconnected state, and cannot establish ConfigSync connections to other BIG-IP systems in its trust domain.

MCPD periodically logs messages in /var/log/ltm:
err mcpd[27610]: 0107142f:3: Can't connect to CMI peer a.b.c.d, TMM outbound listener not yet created.

Conditions:
--- BIG-IP system is in a trust domain with other BIG-IP systems.
--- Local device's ConfigSync IP is set to 'none', and then back to an actual IP address.

Impact:
Devices unable to ConfigSync.

Workaround:
This workaround will disrupt traffic while TMM restarts:

1. Ensure the local ConfigSync IP is set to an IP address.
2. Restart TMM:
bigstart restart tmm


This workaround should not disrupt traffic:

Copy and paste the following command into the Advanced Shell (bash) on a BIG-IP system, and then run it. This sets the ConfigSync IP for all device objects to 'none', and then back to their correct values.

TMPFILE=$(mktemp -p /var/tmp/ ID882609.XXXXXXX); tmsh -q list cm device configsync-ip > "$TMPFILE"; sed 's/configsync-ip .*$/configsync-ip none/g' "$TMPFILE" > "$TMPFILE.none"; tmsh load sys config merge file "$TMPFILE.none"; echo "reverting back to current"; tmsh load sys config merge file "$TMPFILE"


882549-1 : Sock driver does not use multiple queues in unsupported environments

Component: Local Traffic Manager

Symptoms:
In some unsupported environments, the underying sock driver only uses only 1 queue. This can be confirmed by executing the tmsh command "tmctl -d blade -i tmm/ndal_rx_stats" and check the rxq column which shows 0. This can be verified in the tx side as well.

Conditions:
This occurs in certain unsuppported environments. You can run "ethtool -l", which will show "command not supported".

Impact:
When multi-q is present, the use of single queue can impact the performance when using sock driver.

Workaround:
Use other available drivers. The available drivers can be checked via executing the tmsh command, "tmctl -d blade -i tmm/device_probed"


881085-4 : Intermittent auth failures with remote LDAP auth for BIG-IP managment

Component: TMOS

Symptoms:
There are intermittent auth failures when accessing the BIG-IP administration interfaces via SSH or the GUI.

Conditions:
-- Remote LDAP auth is configured.
-- An idle timeout RST is received on the LDAP connection before the configured auth LDAP idle-timeout expires. This RST might be generated by tmm (if the connection to the LDAP server is via a defined VLAN), some other intervening device on the network, or from the LDAP server itself (depending on its connection time limit).

Impact:
There might be intermittend auth failures.

Workaround:
Set the auth ldap idle-timeout to a smaller value, for example, via tmsh:
modify auth ldap system-auth idle-timeout 299


881065-3 : Adding port-list to Virtual Server changes the route domain to 0

Component: Local Traffic Manager

Symptoms:
When attaching the port-list to virtual server dest:port-list, the route domain of the virtual server is changed to the default value of 0, and the port-list is not correctly applied. This is encountered in the GUI but not in the CLI.

Conditions:
Using port-list along with virtual server in non default route domain using the GUI.

Impact:
You are unable to use the GUI to attach a port-list that uses a non-default route domain to a virtual server.

Workaround:
Use tmsh to attach a port-list to a virtual server if the port-list uses a non-default route domain.


880625-4 : Check-host-attr enabled in LDAP system-auth creates unusable config

Component: TMOS

Symptoms:
When configuring system auth to use LDAP, if you set check-host-attr to enabled, the resulting /config/bigip/pam.d/ldap/system-auth.conf that is generated cannot be parsed by nslcd.

Conditions:
-- Configuring system auth to use LDAP.
-- Setting check-host-attr to enabled.

Impact:
LDAP-based auth does not function.

Workaround:
None.


880165-3 : Auto classification signature update fails

Component: TMOS

Symptoms:
During classification update, you get an error:

"Error: Exception caught in script. Check logs (/var/log/hitless_upgrade.log) for details"

An additional diagnostic is that running the command "/usr/bin/crt_cache_path" reports "none".

Conditions:
This is encountered while updating the classification signatures or the protocol inspection updates.

It can occur when something goes wrong during license activation, but license activation ultimately succeeds.

Impact:
When this issue occurs, auto classification signature update will fail.

Workaround:
You may be able to recover by re-activating the BIG-IP license.


879969-6 : FQDN node resolution fails if DNS response latency >5 seconds

Component: TMOS

Symptoms:
When resolving FQDN names for FQDN nodes/pool members, pending DNS requests are timed out after 5 seconds with no response from the DNS server.
If there is a persistent latency of 5 seconds or greater in the DNS server responses, FQDN name resolution will fail and ephemeral nodes/pool members will not be created.

Conditions:
- BIG-IP using FQDN nodes/pool members
- Persistent latency of 5 seconds or greater in the DNS server responses

Impact:
Ephemeral pool members may not be created, thus no traffic will be sent to the intended pool members.

Workaround:
Resolve any persistent latency issues that might cause delays of 5 seconds or more in DNS server responses.


879413-7 : Statsd fails to start if one or more of its *.info files becomes corrupted

Component: Local Traffic Manager

Symptoms:
If one of the *.info files in /var/rrd becomes corrupted, statsd fails to load it and ends up restarting continuously. You see the following messages in /var/log/ltm:

-- err statsd[766]: 011b020b:3: Error 'Success' scanning buffer '' from file '/var/rrd/throughput.info'.
-- err statsd[766]: 011b0826:3: Cluster collection start error.Exitting.

Conditions:
Corrupted *.info file in /var/rrd.

Impact:
Stats are no longer accurate.

Workaround:
It might take multiple attempts to repair the *.info files. You might have to run the following command several times for different .info files, where <filename> is the actual name of the file (e.g., 'throughput.info'):

found=0;while [ $found != 1 ]; do filetype=`file throughput.info | cut -d " " -f2`;if [[ $filetype != "ASCII" ]]; then rm -f <filename>.info; else grep CRC <filename>.info;found=1;fi; done


879405-3 : Incorrect value in Transparent Nexthop property

Component: TMOS

Symptoms:
Incorrect value in Transparent Nexthop property on virtual server page with assigned VLAN.

Conditions:
-- Virtual server configured with with transparent next-hop bychecking 'Transparent Nexthop' in the GUI on the LTM Virtual Server page: Transparent Nexthop = None

   Works fine with:

Impact:
Incorrect value shown in Transparent Nexthop property field.

Workaround:
Use tmsh to complete the action successfully.


876953-1 : Tmm crash while passing diameter traffic

Component: Service Provider

Symptoms:
Tmm crashes with the following log message.

-- crit tmm1[11661]: 01010289:2: Oops @ 0x2a3f440:205: msg->ref > 0.

Conditions:
This can be encountered while passing diameter traffic when one or more of the pool members goes down and retransmissions occur.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


876581-1 : JavaScript engine file is empty if the original HTML page cached for too long

Component: Fraud Protection Services

Symptoms:
JavaScript engine file is empty.

Conditions:
Original HTML page with FPS injected content is cached for too long due to some caching headers (e.g., ETag), so the JavaScript engine link becomes invalid.

Impact:
No FPS protection for that HTML page.

Workaround:
You can use either workaround:

-- Use an iRule to disable caching for protected HTML pages.

-- Set caching time for protected HTML pages to the same value as the datasync tables regeneration timer according to the active datasync profile (default value is two 2 days).


874677-4 : Traffic Classification auto signature update fails from GUI

Component: Traffic Classification Engine

Symptoms:
Beginning in BIG-IP software v14.1.0, Traffic Classification auto signature update fails when performed using the GUI.

The system reports an error:
Error: Exception caught in the script. Check logs (/var/log/hitless_upgrade.log) for details.

Conditions:
Performing Traffic Classification auto signature update using the GUI.

Impact:
Fails to update the classification signature automatically.

Workaround:
You can use either of the following:

-- Perform Traffic Classification auto signature update operations from the CLI.
-- Use the GUI to manually update Traffic Classification signatures.


873249-6 : Switching from fast_merge to slow_merge can result in incorrect tmm stats

Component: Local Traffic Manager

Symptoms:
TMM stats are reported incorrectly. For example, the system may report double the number of running TMMs or an incorrect amount of available memory.

Conditions:
Changing the DB key merged.method from fast_merge to slow_merge.

Impact:
Incorrect reporting for TMM stats.

Workaround:
Remove the file /var/tmstat/cluster/blade0-performance.

These files are roll-ups and will be re-created as necessary.


872981-4 : MCP crashes when deleting a virtual server and its traffic-matching-criteria in the same transaction

Component: Local Traffic Manager

Symptoms:
MCPD crashes when deleting a virtual server and traffic-matching-criteria in the same transaction. This can happen when explicitly using a transaction, or when using a feature that uses transactions, such as when deleting an iApp instance that created these objects.

Conditions:
-- Using a virtual server that has traffic-matching-criteria (e.g., port lists or address lists) attached.
-- Deleting the virtual server and its traffic-matching-criteria in the same transaction.

Impact:
MCP cores, which causes a failover (in a high availability (HA) system) or temporary outage.

Workaround:
Delete the traffic-matching-criteria object separately from the virtual server.


871705-7 : Restarting bigstart shuts down the system

Component: TMOS

Symptoms:
The 'bigstart restart bigstart' command shuts down the system without displaying or informing the BIG-IP system user that this command can interrupt service. The system goes directly to the inoperative state as soon as the command is run.

Conditions:
-- Running the command bigstart restart bigstart.
-- Running 'systemctl restart systemd-bigstart' twice.

Impact:
Different versions appear to have different behavior:

-- v12.1.5: shell hangs on bigstart command, but the BIG-IP system stays Active.
-- v13.1.0.7: The BIG-IP system goes inoperative upon 'bigstart restart bigstart'.
-- 1v4.1.2.3: The 'bigstart restart bigstart' command cannot find the 'bigstart' service, but 'systemctl restart systemd-bigstart' shows this behavior.

Workaround:
None.


871561-6 : Hotfix installation on vCMP guest fails with '(Software compatibility tests failed.)'

Component: TMOS

Symptoms:
Due to a known issue, software upgrade to an engineering hotfix might fail with a log message in /var/log/ltm similar to:

info lind[5500]: 013c0007:6: Install complete for volume=HD1.2: status=failed (Software compatibility tests failed.)

Conditions:
Performing a software upgrade to a hotfix release on a vCMP guest.

Impact:
Unable to perform an upgrade.

Workaround:
Option 1:
Make sure that .iso files for both base image and hotfix reside only on a vCMP guest before starting the installation.

Option 2:
Even if the hotfix installation has failed, the base image should still have been installed properly, so you can restart the vCMP guest and perform a hotfix installation on top of already installed base image.

Option 3:
Even if the hotfix installation has failed, the base image should still have been installed properly. Ensure there is copy of the hotfix locally within the vcmp Guest. Then restart the lind service

  tmsh restart sys service lind

The hotfix installation should begin again this time using the hotfix from within the guest /shared/images/ location.


870349-2 : Continuous restart of ntlmconnpool after license reinstall

Component: Local Traffic Manager

Symptoms:
The ntlmconnpool process continuously restarts after reinstalling the licence. The system reports a message in the BIG-IP console:
Re-starting ntlmconnpool.

Conditions:
This occurs when you upgrade your license such that the new license changes the number of TMMs available.

Impact:
System requires reboot, and reports 'Re-starting ntlmconnpool' message continuously in the BIG-IP console.

Workaround:
You must reboot to clear the condition. Once the system comes back up, it operates as expected.


870309-3 : Ephemeral pool member not created when FQDN resolves to new IP address

Component: Local Traffic Manager

Symptoms:
On rare occasions, when using FQDN nodes/pool members and the FQDN name resolves to a different IP address, the ephemeral pool member for the old IP address may be removed, but a new ephemeral pool member for the new IP address may not be created.

Under normal operation, the following sequence of messages is logged in /var/log/dynconfd.log when dynconfd logging is set to 'debug' level:

[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com
[D]: PoolMember::scan: pool /Common/my_fqdn_pool member /Common/my_fqdn_node fqdn my.fqdn.com

But when this problem occurs, the 'setFQDNPoolMembersModified' log message is not followed by a 'PoolMember::scan' log message:

[D]: setFQDNPoolMembersModified: pool /Common/my_fqdn_pool node /Common/my_fqdn_node fqdn my.fqdn.com

Conditions:
This may occur under rare timing conditions while using using FQDN nodes/pool members, when the DNS server resolves the FQDN name to a different IP address.

Impact:
Pools configured with FQDN-based pool members may become empty, in which case no traffic will be processed by that pool.

Workaround:
To recover from this condition once it occurs, perform either of the following actions:

-- Restart the dynconfd daemon:
bigstart restart dynconfd

This temporarily interrupts queries for FQDN name resolution and updates (deletion/creation) of ephemeral nodes/pool members in response to FQDN resolution changes.

This action is not otherwise expected to affect traffic currently flowing to pools.


-- Remove the FQDN pool member, then re-add the FQDN pool member back to the pool:
tmsh modify ltm pool my_fqdn_pool { members delete { my_fqdn_node:port } }
tmsh modify ltm pool my_fqdn_pool { members add { my_fqdn_node:port <other parameters> } }

If the pool already has no ephemeral pool members, this has no effect on traffic (which is already not flowing to this pool).

If the pool has some ephemeral pool members but not the complete list of expected ephemeral members, this will interrupt traffic flowing to this pool while there are no pool members present.

In that case, temporarily adding at least one pool member with a statically-configured IP address before removing the FQDN pool member, then removing the same temporary pool members after replacing the FQDN pool member, allow straffic to continue flowing to the pool while this action is performed.


869565-2 : Disabling of HTTP/2 profile on server side does not prevent h2 in ALPN

Component: Local Traffic Manager

Symptoms:
HTTP/2 protocol can be negotiated with the Application-Layer Protocol Negotiation (ALPN) on the Transport Layer Security (TLS) level of communication. When an iRule disables HTTP/2 on a server side, it is assumed that the BIG-IP system no longer offers h2 to a server as an option.

Conditions:
-- A virtual server has an HTTP/2 profile configured on both the client and server sides.
-- A server SSL profile is configured on the virtual server.
-- An iRule using the 'HTTP2::disable serverside' command is attached to the virtual server.

Impact:
The BIG-IP system offers h2 as an option in ALPN when the HTTP/2 profile is disabled on a server side. If h2 is accepted by the server, communication fails since HTTP/2 is disabled and does not decode HTTP/2 traffic.

Workaround:
None.


869553-2 : HTTP2::disable fails for server side allowing HTTP/2 traffic

Component: Local Traffic Manager

Symptoms:
The BIG-IP system provides an iRule command 'HTTP2::disable serverside' to put http2 in passthrough mode. When the command is called during the CLIENT_ACCEPTED event, it should completely disable http2 until the end of TCP connection, or until the HTTP2::enable command is executed.

Conditions:
-- A virtual server has an HTTP/2 profile configured on the server side.
-- An iRule with an the command 'HTTP2::disable serverside' command is attached to the virtual server in the CLIENT_ACCEPTED event.

Impact:
The BIG-IP system continues to send HTTP/2 traffic to a server.

Workaround:
None.


869049-3 : Charts discrepancy in AVR reports

Component: Application Visibility and Reporting

Symptoms:
Discrepancy in AVR reports. When filtering on the 'last month' interval, a specific number of total requests per virtual server is shown. Then when filtering to the present day from a date that encompasses that month, a lower number is reported.

Conditions:
-- Number of records in database exceeds the maximum mount of data that AVR can aggregate between different table-resolutions.
-- There are metrics on the report other than the default one (hits-count).

Impact:
Stats on DB get corrupted and incorrect.

Workaround:
None.


867985-5 : LTM policy with a 'shutdown' action incorrectly allows iRule execution

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide manipulation tools over a connection with an LTM policy and/or iRule. LTM policy takes precedence over iRules and has an option to shutdown a connection based on satisfied conditions. When a connection is closing, an iRule should not be executed under the same conditions.

Conditions:
-- The BIG-IP system has a virtual server with an LTM policy and an iRule.
-- The LTM policy has action 'shutdown connection' under certain conditions.
-- The iRule has an event which is triggered under the same conditions.

Impact:
The iRule is executed before the connection is being reset.

Workaround:
None.


865177-5 : Cert-LDAP returning only first entry in the sequence that matches san-other oid

Component: TMOS

Symptoms:
Certificate-ldap only returns the first matching oid from the certificate file even though multiple matching san-other entries exists

Conditions:
When Certificate-ladp attribute ssl-cname-field set to san-other and certificate with multiple san-other oids

Impact:
Only the first matching oid is returned.


864757-4 : Traps that were disabled are enabled after configuration save

Component: TMOS

Symptoms:
The ifLinkUpDownTrapEnable setting is not saved to config files nor UCS. If you have disabled 'link up/down' traps for an interface, save the config, and then load the config files or UCS, all interfaces will have traps enabled, even the ones that were explicitly disabled.

Conditions:
-- Disable 'link up/down' traps for an interface.
-- Save the configuration or UCS.
-- Reload the configuration or load the UCS.

Impact:
All interfaces have traps enabled, even the ones that were explicitly disabled.

Workaround:
None.


862937-4 : Running cpcfg after first boot can result in daemons stuck in restart loop

Component: TMOS

Symptoms:
After running cpcfg and booting into the volume, daemons such as named and gtmd are stuck restarting. Additionally the SELinux audit log contains denial messages about gtmd and named being unable to read unlabeled_t files.

Conditions:
Running cpcfg on a volume that has already been booted into.

Impact:
Services do not come up.

Workaround:
In the bash shell, force SELinux to relabel at boot time. Then reboot:

# touch /.autorelabel
# reboot


862525-7 : GUI Browser Cache Timeout option is not available via tmsh

Component: TMOS

Symptoms:
In BIG-IP v10.x it was possible to change the browser cache timeout from bigpipe using the command:
  bigpipe httpd browsercachetimeout

In 14.1.2.1 and newer, it is still possible to change the value in the GUI using "System :: Preferences :: Time To Cache Static Files.

However there is no tmsh equivalent in any version.

Conditions:
This is encountered when you try to configure the GUI browser cache timeout setting using tmsh.

Impact:
Unable to modify browser cache timeout except from GUI

Workaround:
Using GUI to configure this field. GUI System :: Preferences :: Time To Cache Static Files.


860573-4 : LTM iRule validation performance improvement by tracking procedure/event that have been validated

Component: TMOS

Symptoms:
Loading (with merge) a configuration file that references some iRules results in validating every iRule and ends up validating the same procedures multiple times for every virtual server a single iRule is associated with.

Conditions:
Configuration which has 100's of virtual servers, some iRules that are assigned to all virtual servers and a few library iRules.

Impact:
Task fails (via REST) or ends up taking a really long time when run manually.

Workaround:
None.


860277-5 : Default value of TCP Profile Proxy Buffer High Low changed in 14.1

Component: Local Traffic Manager

Symptoms:
Version: 13.1.3.1

# tmsh list ltm profile tcp tcp proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 49152
    proxy-buffer-low 32768
}

       proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 49152.

       proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 32768.

Version: 14.1.2.2

# list ltm profile tcp TCP proxy-buffer-high proxy-buffer-low
ltm profile tcp tcp {
    proxy-buffer-high 65535
    proxy-buffer-low 32768
}


proxy-buffer-high
            Specifies the highest level at which the receive window is closed.
            The default value is 131072.

proxy-buffer-low
            Specifies the lowest level at which the receive window is closed.
            The default value is 98304.

Conditions:
Looking at the help for proxy-buffer-high and proxy-buffer-low in tmsh

Impact:
The default value for proxy-buffer-high is 65535 and the default value for proxy-buffer-low is 32768, but the help text indicates that the defaults are 13072 and 98304 respectively.


858701-5 : Running config and saved config are having different route-advertisement values after upgrading from 11.x/12.x

Component: Local Traffic Manager

Symptoms:
When you upgrade an 11.x/12.x device with route advertisement enabled, you might discover a difference between the running configuration and the saved configuration post upgrade, which might result in route advertisement becoming disabled.

-- In the running configuration, the virtual-addresses route advertisement setting 'enabled' changes to 'selective'.
-- In bigip.conf, the virtual-addresses route advertisement setting is still set to 'enabled'.
-- After config load or after re-licensing, the virtual-addresses route advertisement reverts to disabled.

Conditions:
-- Upgrading an 11.x/12.x device with route advertisement enabled.
-- After saving the config, both the running-config and bigip.conf have the same value: i.e., 'selective'.
-- Loading the configuration (tmsh load sys config) results in route advertisement becoming disabled.

Impact:
The route-advertisement setting is 'enabled' in the config file, but 'selective' in the running configuration. This has the following impact:

If you save the configuration and then reload it, the route advertisement is changed to 'selective' in the config file and 'disabled' in the running config.

Workaround:
You can identify whether systems running v13.0.0 or higher are at risk of encountering this issue by checking a legacy internal setting, ROUTE_ADVERTISEMENT:

Procedure to identify whether virtual-addresses are affected, that have an incorrect setting in the legacy ROUTE_ADVERTISEMENT artifact:

  Virtual-addresses may be affected by this issue on v13.0.0 and higher if ROUTE_ADVERTISEMENT=true in mcpd.

  You can check this value with the guishell command:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

    Example:
      guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
        -----------------------------------------------------------
        | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
        -----------------------------------------------------------
        | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
        | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
        | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
        | /Common/10.32.101.47 | true | 0 | <<< MEDIUM RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
        | /Common/10.32.101.49 | true | 1 | <<< HIGH RISK virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

      Any virtual address that shows ROUTE_ADVERTISEMENT=true is at risk. If true but route-advertisement is not in use, there is no risk until route-advertisement is configured later.

------------------------------------------------------------------------------------------
Procedure to remove the legacy ROUTE_ADVERTISEMENT artifact from the config on systems found to be affected:

1. Fail over the system to a standby status:
  tmsh run sys failover standby

2. Save the config to disk:
  tmsh save sys config

3. Load the config from disk. This may temporarily cause route-advertisement to revert to disabled on at risk virtual-addresses:
  tmsh load sys config

4. Load the config a 2nd time. This removes the legacy artifact, re-enables route-advertisement as per the configuration, and leaves the system in a not-at-risk state:
  tmsh load sys config

5. Verify it worked:
  guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";

  Example of a fixed config:
    guishell -c "select NAME,ROUTE_ADVERTISEMENT,RA_OPTION from virtual_address";
      -----------------------------------------------------------
      | NAME | ROUTE_ADVERTISEMENT | RA_OPTION |
      -----------------------------------------------------------
      | /Common/10.32.101.41 | false | 0 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement disabled
      | /Common/10.32.101.42 | false | 2 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement selective
      | /Common/10.32.101.43 | false | 1 | <<< no risk, virtual-address created in 13.1.3.2 with route-advertisement enabled
      | /Common/10.32.101.47 | false | 0 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement not in use
      | /Common/10.32.101.49 | false | 1 | <<< no risk, virtual-address from a 11.6.2 upgrade or 11.6.2 ucs with route-advertisement enabled

------------------------------------------------------------------------------------------
If you encounter this issue and route-advertisement becomes disabled before cleaning the legacy ROUTE_ADVERTISEMENT artifact from the config, reload the configuration again using the following command to set the running config and saved config to to 'selective':

tmsh load sys config


858197-5 : Merged crash when memory exhausted

Component: TMOS

Symptoms:
Merged crashes when system memory is exhausted

Conditions:
System memory is is at 0% available.

Impact:
Merged crashes, stopping stats updates

Workaround:
Reduce the configuration on the system


857897-3 : Address and port lists are not searchable within the GUI

Component: Advanced Firewall Manager

Symptoms:
Search from shared objects of IP addresses in the address list and port numbers in the port list does not work as expected. In previous releases, it was possible to expand all address/port lists in a single operation. There is no support for that in this release.

Conditions:
Searching from shared objects of IP addresses in the address list and port numbers in the port list.

Impact:
It is no longer possible to expand all address/port lists in a single operation, and because all lists needs to be expanded to allow a search using the browser or cache the objects in the embedded search box from the GUI, the functionality does not work as expected.

Workaround:
None.


856713-4 : IPsec crash during rekey

Component: TMOS

Symptoms:
IPsec-related tmm crash and generated core file during rekey.

Conditions:
-- IPsec timeout occurs.
-- Some temporary SA's are created by racoon.

Impact:
Tmm crashes and creates core file. Traffic disrupted while tmm restarts.

Workaround:
None.


854129-1 : SSL monitor continues to send previously configured server SSL configuration after changes (removal/modification)

Component: Local Traffic Manager

Symptoms:
Monitor continues to send previously configured settings from the server SSL profile such as client certificate or cipher list after the SSL profile has been removed/modified from the monitor.

Conditions:
-- In-TMM monitor configured.
-- SSL monitor configured with a server SSL profile.
-- Modification of the server SSL profile on the monitor.

Impact:
The previously configured settings, such as certificate or cipher, may continue to be transmitted to the server, resulting in node continuing to be marked up or down (respectively).

Workaround:
You can use either of the following workarounds:

-- Disable and then re-enable the pool member.

-- Restart tmm. Note: Using this option interrupts traffic. Traffic disrupted while tmm restarts.


854001-1 : TMM might crash in case of trusted bot signature and API protected url

Component: Application Security Manager

Symptoms:
When sending request to a protected API URL, with a trusted bot signature, tmm tries to perform reverse DNS to verify the signature. During this process, the URL qualification might change. In this case - tmm crashes.

Conditions:
-- Bot Defense profile attached.
-- 'API Access for Browsers and Mobile Applications' is enabled.
-- A DNS server is configured.
-- Request is sent to an API-qualified URL.
-- Request is sent with a trusted bot signature.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Disable the 'API Access for Browsers and Mobile Applications' or remove the DNS server.


852325-6 : HTTP2 does not support Global SNAT

Component: Local Traffic Manager

Symptoms:
The Global SNAT feature does not work with HTTP2.

Conditions:
-- Global SNAT is used
-- HTTP2 is used.

Impact:
Traffic uses the incorrect IP addresses when sourced from the BIG-IP system.

Workaround:
Use an explicit SNAT setting: SNAT Auto-Map or a SNAT pool.


851385-2 : Failover takes too long when traffic blade failure occurs

Component: Local Traffic Manager

Symptoms:
When blades 1 and 4 are disabled on the active chassis, the failover period is between 3.4 to 4.7 seconds before the next-active device starts processing messages.
  
If the blades are physically pulled from the chassis,
the failure occurs within 1 second.

Conditions:
-- Multi-blade VIPRION system
-- Blades 1 and 4 are connected to the network via trunks, blades 2 and 3 are CPU-only blades
-- Blades 1 and 4 are disabled via the GUI

Impact:
Significant delay before BIG-IP delivers a web page during between-cluster failover


850509-4 : 'Decryption of the field (privatekey) for object (13079) failed' message

Component: Global Traffic Manager (DNS)

Symptoms:
During config load or system start-up, you see the following error:

01071769:3: Decryption of the field (privatekey) for object (13079) failed.
Unexpected Error: Loading configuration process failed.

Conditions:
-- TSIG keys are present in the device configuration.
-- The device's master key is changed.

Impact:
Unable to view TSIG keys. Configuration cannot be loaded.

Workaround:
None.


847105-1 : The bigip_gtm.conf is reverted to default after rebooting with license expired

Component: Global Traffic Manager (DNS)

Symptoms:
The bigip_gtm.conf is reverted to default after rebooting (or upgrading to a newer BIG-IP software release).

Conditions:
-- The BIG-IP license is expired prior to the reboot or upgrade.
-- GTM is configured.

Impact:
The GTM configuration (in /config/bigip_gtm.conf) information is lost in the newly installed boot location.

Workaround:
Renew license before reboot. Always reboot with valid license.

If you have already rebooted or upgraded with an expired license, and your configuration has been lost, you can restore it using the following procedure.

1. Re-activate the BIG-IP license
2. Restore bigip_gtm.conf from the auto-created backup (.bak) file:
   cp /config/bigip_gtm.conf.bak /config/bigip_gtm.conf
3. Load the replaced config:
   tmsh load sys config gtm-only

If this is a the result of a software upgrade, and the .bak file is not available or has been overwritten, you can boot back to the previous volume and re-copy the configuration from there (cpcfg or via the GUI) before rebooting back to the upgraded software release.


846977-6 : TCP:collect validation changed in 12.0.0: the first argument can no longer be zero

Component: Local Traffic Manager

Symptoms:
Validation for TCP::collect was changed in BIG-IP software v12.0.0 (with the introduction of JET specifications). Prior to 12.0.0, there were no restrictions on the values of the two arguments. As of 12.0.0, the first argument ('collect_bytes') must be a positive integer, and the second argument ('skip_bytes) must be a non-negative integer.

Occurrences of 'TCP::collect 0 0' in iRules experience issues when upgrading to a newer version, producing warnings in LTM log:

/Common/T_collect:9: warning: [The following errors were not caught before. Please correct the script in order to avoid future disruption. "invalid argument 0; expected syntax spec:"136 17][TCP::collect 0 0].

Conditions:
-- Using a version of BIG-IP software earlier than 12.0.0, configure an iRule with a 'TCP::collect 0 0' command.
-- Upgrade to 12.0.0 or later.

Impact:
Warning in the LTM log file. The iRules containing 0 values do not function as expected. There is no other impact.

Workaround:
Change 'TCP::collect 0 0' to a value other than 0 (zero) in any iRules before or after upgrade.


844925-4 : Command 'tmsh save /sys config' fails to save the configuration and hangs

Component: TMOS

Symptoms:
The 'tmsh save /sys config' command hangs and fails to save the configuration if there is a memory allocation failure when creating the reply.

Conditions:
-- A large number of iApps: in the thousands.
-- Each iApp has tens of variables.

Impact:
Because tmsh cannot save the configuration, if the BIG-IP system reboots, any changes made since the last successful save are lost.

Workaround:
Run the command:
tmsh save /sys config binary

This does not save the configuration to files in /config, but it does at least allow you to save the binary configuration.

That way, you can reboot the BIG-IP system and not lose the configuration.

Note: It is possible that a reboot will provide sufficient memory to save to configuration files. It depends on the configuration of virtual memory at the time of the save. It is possible that every time you want to save the config, you must use the binary option.


844085-5 : GUI gives error when attempting to associate address list as the source address of multiple virtual servers with the same destination address

Component: TMOS

Symptoms:
With multiple virtual servers that have the same destination address, changing all of them in the GUI to use an address list as their source address will result in the last one changed failing with an error similar to:

01070344:3: Cannot delete referenced virtual address /Common/1.2.3.4.

Conditions:
-- More than one virtual server with the same destination address.
-- Changing all the virtual servers that share the same destination address to use an address list for their source address.

Impact:
Unable to change the source address of a virtual server to an address list.

Workaround:
Use TMSH to manually create a traffic-matching criteria object and assign it to the virtual server:

tmsh create ltm traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination-address-inline <destination address of virtual server> destination-port-inline <destination port of virtual server> source-address-inline 0.0.0.0 source-address-list <address list name>
}

tmsh modify /ltm virtual <virtual server name> traffic-matching-criteria <virtual server name>_VS_TMC_OBJ destination 0.0.0.0:any


842669-5 : Syslog-ng / systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log

Component: TMOS

Symptoms:
Systemd-journald cannot handle logs with embedded newlines, write trailing content to /var/log/user.log. Bare ')' being logged to /var/log/user.log., for example:

cat /var/log/user.log
[...]: Deleting file /shared/core/*.core.*
[...]: Deleting file /shared/core/*.core.*
[...] )
[...] )

Conditions:
This occurs when the system logs syslog messages containing embedded newlines, such as

- The cron process tries and fails to send an email because of output about a cron script.
- Modify syslog include configuration
- Apply ASM policy configuration change
- GTM.debugprobelogging output from big3d

Impact:
The logging subsystem accepts syslog messages with embedded newlines, and writes first line to the appropriate file, and remaining lines to /var/log/user.log.

Workaround:
View the logs using journalctl -D /var/log/journal


842149-3 : Verified Accept for SSL Orchestrator

Component: Access Policy Manager

Symptoms:
You are unable to configure Verified Accept on SSL Orchestrator.

Conditions:
-- SSL Orchestrator in use .
-- A TCP profile is in use and it contains the Verified Accept flag.

Impact:
No connectivity over SSL Orchestrator.

Workaround:
None.


842137-2 : Keys cannot be created on module protected partitions when strict FIPS mode is set

Component: Local Traffic Manager

Symptoms:
When FIPS mode is set to use FIPS 140-2 Level 3 protection, new keys cannot be created in the module's protected partition

Conditions:
-- FIPS 140-2 Level 3 protection is configured on a NetHSM partition
-- You attempt to create a FIPS key using that partition

Impact:
New Keys cannot be created

Workaround:
Here are all the steps to generate a new netHSM key called "workaround" and install it into the BIG-IP config:

1.

[root@bigip1::Active:Standalone] config # fipskey.nethsm --genkey -o workaround -c module
WARNING: fipskey.nethsm will soon be deprecated for use with Thales. Please switch to using tmsh commands instead.
tmsh commands...

Generate Key:
tmsh create sys crypto key <key_name> security-type nethsm [gen-certificate|gen-csr] ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate CSR for existing key:
tmsh create sys crypto csr <csr_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Generate Self-Signed Certificate for existing key:
tmsh create sys crypto cert <cert_name> key <key name> ...
For an exhaustive list of options, please consult F5's tmsh documentation.
Delete Key:
tmsh delete sys crypto key <keyname>


str[cd /shared/tmp && /opt/nfast/bin/generatekey -b pkcs11 certreq=yes selfcert=yes protect=module size=2048 embedsavefile="workaround" plainname="workaround" digest=sha256]
key generation parameters:
 operation Operation to perform generate
 application Application pkcs11
 protect Protected by module
 verify Verify security of key yes
 type Key type RSA
 size Key size 2048
 pubexp Public exponent for RSA key (hex)
 embedsavefile Filename to write key to workaround
 plainname Key name workaround
 x509country Country code
 x509province State or province
 x509locality City or locality
 x509org Organisation
 x509orgunit Organisation unit
 x509dnscommon Domain name
 x509email Email address
 nvram Blob in NVRAM (needs ACS) no
 digest Digest to sign cert req with sha256

Key successfully generated.
Path to key: /opt/nfast/kmdata/local/key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622
Starting synchronisation, task ID 5de83486.6e9e32d7f367eaf4
Directory listing failed: No such file or directory

2. (this is to confirm the key is present with the label "workaround"

[root@bigip1::Active:Standalone] config # nfkminfo -l

Keys with module protection:

 key_pkcs11_ua882aa9fadee7e440772cb6686358f4b283922622 `workaround'

Keys protected by cardsets:
...

3.
[root@bigip1::Active:Standalone] config # tmsh install sys crypto key workaround from-nethsm

4. (install public certificate)
[root@bigip1::Active:Standalone] config # tmsh install sys crypto cert workaround from-local-file /config/ssl/ssl.crt/workaround


841305-3 : HTTP/2 version chart reports are empty in GUI; error appears in GUI and reported in monpd log

Component: Application Visibility and Reporting

Symptoms:
The HTTP/2 version appears in charts, but when clicking on the chart reports, errors are reported in monpd log and the chart is empty in the GUI, with an error reported in the GUI and in the monpd log:

-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:mysql_query_safe:0209| Error (err-code 1054) executing SQL string :
-- DB|ERROR|Oct 21 06:12:24.578|22855|../src/db/MonpdDbAPI.cpp:runSqlQuery:0677| Error executing SQL query:
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/handlers/ReportRunnerHandler.cpp:runReport:0409| Results for query came back as NULL
-- REPORTER|ERROR|Oct 21 06:12:24.578|22855|../src/reporter/ReporterUtils.cpp:throwInternalException:0105| throwing exception to client error code is 1 error msg is Internal error

Conditions:
-- Create a new policy or use an existing policy.
-- Go to Security :: Reporting : Application : Charts.
-- Select weekly charts.

Impact:
Charts are empty in the GUI, and the system logs errors in monpd.

Workaround:
None.


839121-4 : A modified default profile that contains SSLv2, COMPAT, or RC2 cipher will cause the configuration to fail to load on upgrade

Component: TMOS

Symptoms:
After upgrading, the configuration fails to load and throws an error about a profile that is located in profile_base.conf using SSLv2. However, upon inspection you will notice that there is no SSLv2 cipher in use.

Conditions:
The upgrade failure is seen when all the following conditions are met:

-- BIG-IP system with SSLv2 as the ciphers option in an SSL profile running software v12.x/v13.x.
-- Upgrading to a version that reports an error when using SSLv2, such as v14.x/v15.x.
(1) Modified root SSL profile (such as /Common/clientssl or /Common/serverssl) is present in bigip.conf.
(2) The modified root SSL profile contains an invalid keyword 'COMPAT', 'SSLv2', or 'RC2' in its ciphers
(3) The default profiles whose ciphers inherited from the root profile are not present in bigip.conf. The error for invalid ciphers is reported against these profiles.

Impact:
Beginning in version 14.x, SSLv2 has been changed from being a warning condition, and now prevents the configuration from loading. In most cases the upgrade script properly removes this, so there is no issue. However, if this issue is encountered, the configuration fails to load after upgrading.

Workaround:
There are two possible workarounds:

-- The easiest way to work around this is to comment out the modified base profile from bigip.conf and then run the command: tmsh load sys config.

-- If you are post upgrade, you can use sed to remove the !SSLv2 entries. To do so, perform these steps on the standby device:

 1. cp /config/bigip.conf /config/backup_bigip.conf
 2. Run: sed -i "s/\!SSLv2://g" /config/bigip.conf
 3. tmsh load /sys config


837637-5 : Orphaned bigip_gtm.conf can cause config load failure after upgrading

Component: Global Traffic Manager (DNS)

Symptoms:
Configuration fails to load after upgrade with a message:

01420006:3: Can't find specified cli schema data for x.x.x.x

Where x.x.x.x indicates an older version of BIG-IP software than is currently running.

Conditions:
-- Orphaned bigip_gtm.conf from an older-version. This can occur if GTM/DNS is provisioned, then deprovisioned before upgrade, leaving behind a bigip_gtm.conf with the old schema.

-- Upgrading to a new version that does not contain the schema for the old version that the bigip_gtm.conf uses.

Impact:
Configuration fails to load after upgrade.

Workaround:
Before upgrading:

If the configuration in bigip_gtm.conf is not needed, then it can be renamed (or deleted) before upgrading:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh load sys config gtm-only

After upgrading (i.e., with the system in the Offline state) services must be restarted to pick up the change:

   mv /config/bigip_gtm.conf /config/bigip_gtm.conf.id837637
   tmsh restart sys service all


835505-5 : Tmsh crash potentially related to NGFIPS SDK

Component: Local Traffic Manager

Symptoms:
Tmsh crash occurs rarely. The NGFIPS SDK may generate a core as well.

Conditions:
The exact conditions that trigger this are unknown.

It can be encountered when running the following tmsh command:

tmsh -a show sys crypto fips key field-fmt include-public-keys all-properties

Impact:
Tmsh may crash. You are exited from tmsh if you were using it as a shell.

Workaround:
None.


829021-2 : BIG-IP does not account a presence of http2 profile when response payload is modified

Component: Local Traffic Manager

Symptoms:
The BIG-IP system might close a connection when the HTTP response payload is modified and sent without chunking encoding. If communication goes over an HTTP connection, the BIG-IP system closes a connection to tell a client that a response is served. With HTTP/2 connections, an unsized response is marked with the END_STREAM flag. This case is not accounted for, and the BIG-IP system closes HTTP communication with a server anyway.

Conditions:
-- A virtual server has an http/2 profile configured on the client side.
-- There are other profiles configured which can modify the HTTP response payload.

Impact:
The BIG-IP system wastes resources not reusing a server side HTTP connection when an unsized response is sent over an HTTP/2 connection to a client.

Workaround:
None.


828789-4 : Display of Certificate Subject Alternative Name (SAN) limited to 1023 characters

Component: TMOS

Symptoms:
Certificate Subject Alternative Names are limited to 1023 characters.

Conditions:
Using a certificate with a Subject Alternative Name longer than 1023 characters.

Impact:
A certificate's Subject Alternative Name is not correct in the BIG-IP configuration.

This does not impact the BIG-IP system's ability to select the proper Client SSL profile on a virtual server that uses SNI matching to provide distinct certificates.

Workaround:
Specify fewer than 1023 character for the Certificate Subject Alternative Names.


825501-4 : IPS IM package version is inconsistent on slot if it was installed or loaded when a slot was offline.

Component: Protocol Inspection

Symptoms:
If the IPS IM package is installed on a multi-slot device, and one slot is offline, the IM package version might be different on the offline slot when it comes back online.

It also shows different versions of the Active IM package on different slots.

Conditions:
-- Multi-bladed clustered system.
-- One of the blades is offline.
-- The IPS IM package is installed to the primary blade.

Impact:
The primary blade syncs the IM package to all of the secondary blades that are online; however, when the offline blade comes back online, it does not have the updated IM package.

As a result, traffic being processed by different blades will be using different IPS libraries and might cause inconsistency in the functionality

Workaround:
Although there is no workaround, you can prevent the issue by ensuring that all blades are online when you install an IPS IM package.


824437-8 : Chaining a standard virtual server and an ipother virtual server together can crash TMM.

Component: Local Traffic Manager

Symptoms:
TMM crashes with a SIGFPE and restarts. The TMM logs contain the following panic message:

Assertion "xbuf_delete_until successful" failed.

Conditions:
This issue occurs when the following conditions are met:

-- The system has been configured with a standard virtual server and an Any IP (ipother) virtual server chained together. This can be done explicitly using an iRule that features the 'virtual' command to connect the two virtual servers, or implicitly with certain APM configurations.

-- The pool member on the server-side asks this specific virtual server configuration on the BIG-IP system to retransmit data.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
Ensure the target virtual server in the chain configuration does not use the ipother profile.


822245-1 : Large number of in-TMM monitors results in some monitors being marked down

Component: Local Traffic Manager

Symptoms:
Pool members are marked down from the in-TMM monitor.

Conditions:
Device has a large number of in-TMM monitors.

Impact:
Monitor target may appear down when it is actually up.

Workaround:
Disable in-tmm monitors:
  tmsh modify sys db bigd.tmm value disable


820845-5 : Self-IP does not respond to ( ARP / Neighbour Discovery ) when EtherIP tunnels in use.

Component: TMOS

Symptoms:
BIG-IP systems might not respond to ( ARP / Neighbour Discovery ) requests received via EtherIP tunnels on a multi-blade system.

Conditions:
Decapsulated ( ARP / Neighbour Discovery ) requests for an address owned by the BIG-IP system is processed by a secondary blade.

Impact:
Some endpoints may not be able to resolve ( ARP / Neighbour protocol ) via EtherIP tunnel.

Workaround:
Create static ARP entries on affected endpoints.


817989-2 : Cannot change managemnet IP from GUI

Component: TMOS

Symptoms:
You are unable to change the management IP from the GUI

Conditions:
This is encountered when using the GUI to change the management IP address via the System :: Platform page.

Impact:
The GUI indicates that it will redirect you to the new IP address. You will eventually be redirected but the management IP address is not changed on the BIG-IP device.

Workaround:
Use tmsh to create the management IP. This will overwrite the old one.

Example:
create /sys management-ip [ip address/prefixlen]

To view the management IP configurations

tmsh list /sys management-ip


817369-3 : TCP, UDP, and SCTP proxy converts to GEO proxy when georedundancy profile is attached with virtual server.

Component: Service Provider

Symptoms:
When a georedundancy profile is attached to a TCP, UDP, and SCTP virtual server, proxy does not convert to GEO proxy.

Conditions:
Attach georedundancy profile to a standard TCP, UDP, or SCTP virtual server.

Impact:
Unable to convert proxy to GEO proxy when georedundancy profile is attached with TCP, UDP and SCTP virtual

Workaround:
None.


816953-2 : RST_STREAM is sent in closed state on a serverside stream in HTTP/2 full proxy

Component: Local Traffic Manager

Symptoms:
RST_STREAM is sent on a serverside stream in closing state in HTTP/2 full proxy.

Conditions:
-- HTTP/2 clientside and serverside profiles are attached to the virtual server.
-- HTTP and httprouter profiles are attached to the virtual server.
-- Race between clientside and serverside closing, where clientside closes faster.

Impact:
RST_STREAM is sent on a stream in closed state.


814585-8 : PPTP profile option not available when creating or modifying virtual servers in GUI

Component: TMOS

Symptoms:
There is no option to configure a PPTP profile for a virtual server in the GUI.

Conditions:
Creating or modifying a virtual server in the GUI.

Impact:
Unable to configure the PPTP profile for a virtual server using the GUI.

Workaround:
Use TMSH to add a PPTP profile to the virtual server.


808409-5 : Unable to specify if giaddr will be modified in DHCP relay chain

Component: Local Traffic Manager

Symptoms:
ID746077 changed the dhcprelay behavior in order to comply with RFC 1542 Clarifications and Extensions for BOOTP.

However, as the change also encompasses the DHCP-to-DHCP relay scope, the behavior cannot be configurable with a db key.

Conditions:
DHCP Relay deployments where the giaddr needs to be changed.

Impact:
You are unable to specify whether giaddr will be changed.

Workaround:
None.


807837-1 : Upgrade fails when client-ssl inherits proxy-ca-key/cert with error message: Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.

Component: TMOS

Symptoms:
Upgrade failure when loading configuration file or ucs from older version, with the below error message against child client-ssl profile:

Client SSL profile (/Common/child): must have at least one set of CA type cert-key-chain.

Conditions:
The issue occurs when all of the following conditions are met:
-- When upgrading from an older version (earlier than 14.0.0) to a newer version (14.1.0 or later).
-- The configuration has a child client SSL profile that inherits from a parent client SSL profile.
-- The parent SSL profile has SSL forward proxy enabled and proxy-ca-cert/proxy-ca-key configured.

Impact:
Unable to upgrade the system with old configuration.

Workaround:
You can workaround this issue using the following procedure:

1. Manually edit /config/bigip.conf to add the following lines:
 proxy-ca-cert /Common/rsa.crt
 proxy-ca-key /Common/rsa.key

2. Reload the configuration using the following command:
tmsh load sys config

Here is an example:

ltm profile client-ssl /Common/child {
    app-service none
    cert /Common/default.crt
    cert-key-chain {
        default {
            cert /Common/default.crt
            key /Common/default.key
        }
    }
    chain none
    defaults-from /Common/parent
    inherit-certkeychain true
    key /Common/default.key
    passphrase none
    proxy-ca-cert /Common/rsa.crt <===== add this line
    proxy-ca-key /Common/rsa.key <===== add this line

}


807337-6 : Config utility (web UI) output differs between tmsh and AS3 when the pool monitor is changed.

Component: TMOS

Symptoms:
When a transaction attempts multiple commands (delete, create, modify) for the same object in the same transaction, the results can be unexpected or undefined. A common example is: 'transaction { delete key create_if key }' where the transaction attempts 'delete key', and then 'create_if key', which unmarks the delete operation on the key (so in this case the key remains unmodified). In other cases it is possible that monitoring stops for the associated object, such as for: pool, pool_member, node_address, monitor.

Conditions:
A user-initiated transaction attempts multiple commands for the same monitor-related object (such as delete, create, modify).

Impact:
The GUI shows misleading info about the pool monitor.The monitor-related object may be unchanged, or monitoring may stop for that object.

Workaround:
Transactions modifying a monitor-related object (pool, pool_member, node_address, monitor) should perform a single command upon that object (such as one of: 'delete', 'create', 'modify').


807309-4 : Incorrect Active/Standby status in CLI Prompt after failover test

Component: TMOS

Symptoms:
After running 'promptstatusd -y' to check current failover status, it displays an incorrect Active/Standby status in the CLI prompt.

Conditions:
This occurs under the following conditions:

1. Modify the db variable: bigdb failover.state.
2. Check that /var/prompt/ps1 and CLI prompt reflect the setting.
2. Reboot the BIG-IP system.

Impact:
Status shown in the prompt does not change.

Workaround:
Do not run 'promptstatusd -y' command manually.

The db variable 'failover.state is a status-reporting variable. The system does not report status manually set to something other than the actual status.

Note: 'promptstatusd' is not a BIG-IP user command, it is a daemon. It is highly unlikely that manually running this command will produce information that is useful or relevant to the status being sought.


806073-8 : MySQL monitor fails to connect to MySQL Server v8.0

Component: TMOS

Symptoms:
The LTM MySQL health monitor fails to connect to a MySQL server running MySQL Server v8.0.
A pool member configured for a MySQL server running MySQL Server v8.0 and using the MySQL health monitor will be marked DOWN.

Conditions:
This occurs when using the LTM MySQL health monitor to monitor a MySQL server running MySQL Server v8.0.

Impact:
BIG-IP cannot monitor the health of a MySQL server running MySQL Server v8.0 using the MySQL health monitor.


803833-6 : On Upgrade or UCS Restore Decryption of the vCMP Guest sym-unit-key Field Fails on the Host

Component: TMOS

Symptoms:
An upgrade or UCS restore fails on the host with an error message:

err mcpd[1001]: 01071769:3: Decryption of the field (sym_unit_key) for object (<guest name>) failed.

Conditions:
-- An upgrade or UCS restore of the vCMP host.
-- Having a vCMP guest's sym-unit-key field populated.
-- Having changed the host's master key.

Impact:
The upgrade or UCS restore fails with an MCPD error.

Workaround:
Comment out the sym-unit-key field and load the configuration.


803629-8 : SQL monitor fails with 'Analyze Response failure' message even if recv string is correct

Component: Local Traffic Manager

Symptoms:
For a database (mssql, mysql, postgresql or oracle) monitor type, with a 'recv' string configured, a pool member configured to use the DB monitor may be marked down even if the server is working and includes the configured response string among the response data.

Debug logging of the SQL monitor indicates the following:
... [DBPinger-3778] - Response from server: Database: 'db1'Database: 'information_schema'
... [DBPinger-3778] - Checking for recv string: information_schema
... [DBPinger-3778] - Analyze Response failure

The log shows 'Analyze Response failure' error message even when the configured 'recv' string appears within the response message from the DB server.

Conditions:
This occurs when the string matching the configured 'recv' string value does not appear in the response from the DB server in the row indicated by the 'recv-row' value configured for the monitor.

The default value of 'none' for the 'recv-row' monitor configuration value is actually interpreted as 'row 1' by the DB monitor core implementation.
Therefore, with the default configuration, any 'recv' string configured must appear in the first row of the DB server response in order to be recognized as a match.

Impact:
The DB monitor fails, and the DB server (node) is marked as down even though it is reachable and responding correctly per the configured 'recv' string.

Workaround:
You may use one of the following methods to work around this issue:
1. Configure the DB monitor's 'recv' string to match on the first row in the server response message.
2. Configure the 'recv-row' value in the DB monitor to match the row of the DB server's response which contains the configured 'recv' string.
3. Do not configure 'send' or 'recv' string for the DB monitor.


803233-6 : Pool may temporarily become empty and any virtual server that uses that pool may temporarily become unavailable

Component: Local Traffic Manager

Symptoms:
Intermittently (depending the timing of operations that keep MCP busy):

1. Messages similar to the following may be logged in the LTM log, indicating that the virtual server associated with a pool became temporarily unavailable:

-- notice mcpd[4815]: 01071682:5: SNMP_TRAP: Virtual /Common/test_vs has become unavailable.
-- notice mcpd[4815]: 01071681:5: SNMP_TRAP: Virtual /Common/test_vs has become available.

2. Optionally, if a 'min-up-members' value is configured for the pool, a message similar to the following may be logged in the LTM log, indicating that the number of available pool members became less than the configured value:

-- notice mcpd[4815]: 01070282:3: Number of pool members 2 less than min up members 3.

Conditions:
1. The pool members are all FQDN pool members.
2. The DNS query to resolve pool member FQDNs returns a completely new (non-overlapping) set of IP addresses.
(This causes all existing Ephemeral pool members to be removed and replaced with new Ephemeral pool members.)
3. MCP is very busy and slow to process messages.

Impact:
Under these conditions, existing Ephemeral pool members may be removed before new Ephemeral pool members can be created to replace them, causing the pool member to become temporarily empty. This can result in intermittent loss of availability of the virtual server if all records returned by the DNS server for the referenced FQDN change from the previous response.

Workaround:
None.


803149-3 : Flow Inspector cannot filter on IP address with non-default route_domain

Component: Advanced Firewall Manager

Symptoms:
Flow Inspector cannot filter on IP address with non-default route_domain.

Conditions:
-- In Flow Inspector.
-- Attempting to filter results.
-- Some results use IP addresses with non-default route domains.

Impact:
Filter does not return results as expected.

Workaround:
None.


799001-8 : Sflow agent does not handle disconnect from SNMPD manager correctly

Component: TMOS

Symptoms:
If Sflow agent loses the connection with the SNMPD Manager, it tries to connect multiple times but fails to reconnect.

Conditions:
Sflow agent loses connection with the SNMPD Manager. The conditions that may trigger this are unknown.

Impact:
Snmpd service restarts repeatedly

Workaround:
Run 'tmsh restart sys service sflow_agent' to clear the session data in the sflow agent which results in successful re-connection with snmpd.


798885-5 : SNMP response times may be long due to processing burden of requests

Component: TMOS

Symptoms:
It is possible with large configurations to make SNMP requests that require a lot of processing to gather the statistics needed to respond to the request.

Conditions:
With large configurations, it is possible to overburden MCPD and SNMPD such that client queries time out.

Impact:
SNMP clients might think the BIG-IP system has become unresponsive.

Workaround:
If the responses to SNMP queries are taking too long, MCPD and SNMPD may overburden the control plane. It may be necessary to lengthen the timeout and retry values used by the SNMP client. It may also be helpful to trim what is queried, for example, not repetitively walking large tables like the Virtual Server or LTM Pool Member tables for statistics.


797829-7 : The BIG-IP system may fail to deploy new or reconfigure existing iApps

Component: TMOS

Symptoms:
The BIG-IP system may fail to deploy new or reconfigure existing iApps. When this happens, a long error message is displayed in the GUI that begins with:

script did not successfully complete: ('source-addr' unexpected argument while executing

The message is also logged to /var/log/audit by scriptd with a severity of 'notice'.

The unexpected argument mentioned in the error varies depending on the iApp being deployed and on the settings you configure. You may also see 'snatpool', 'ldap', etc.

Conditions:
This issue occurs when:

-- The BIG-IP system is configured with multiple users of varying roles.

-- The scriptd daemon has already spawned the maximum number (5) of allowed child processes to serve its queue, and all the processes were assigned a low 'security context'. This can happen, for instance, if a low-privileged user (such as an Auditor) has been looking at the configuration of iApps using the GUI a lot.

-- Subsequently, a high-privileged user (such as an Administrator) attempts to deploy a new iApp or reconfigure an existing one.

Note: You can inspect the number of child processes already created by scriptd by running the following command:

pstree -a -p -l | grep scriptd | grep -v grep

However, it is not possible to determine their current 'security context'.

Impact:
New iApps cannot be deployed. Existing iApps cannot be re-configured.

Workaround:
Restart scriptd. To restart scriptd, run:

bigstart restart scriptd

Running this command has no negative impact on the system.

The workaround is not permanent; the issue may occasionally recur depending on your system usage.


794417-5 : Modifying enforce-tls-requirements to enabled on the HTTP/2 profile when renegotiation is enabled on the client-ssl profile should cause validation failure but does not

Component: Local Traffic Manager

Symptoms:
On a single virtual server, when 'TLS Renegotiation' is enabled in an associated Client SSL profile, the system should prevent enabling the 'Enforce TLS Requirements' option in the associated HTTP/2 profile.

Conditions:
BIG-IP system validation does not prevent this configuration in the following scenario:

1. Disable the 'Enforce TLS Requirements' option in the HTTP/2 profile.
2. Enable 'TLS Renegotiation' in the Client SSL profile.
3. Enable the 'Enforce TLS Requirements' option in the HTTP/2 profile.

Impact:
The configuration will not load if saved.

Workaround:
Do not simultaneously disable 'Enforce TLS Requirements' in the HTTP/2 profile, and enable 'TLS Renegotiation' in the Client SSL profile on a single virtual server.


794385-4 : BGP sessions may be reset after CMP state change

Component: Local Traffic Manager

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, there is a small chance that ingress ACK packet of previously established BGP connection is going to be disaggregated to the new processing group(TMMs) and selected TMM is ready to process traffic, but is not ready yet to process traffic for existing connection. In this case, connection isn't processed and reset instead.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BGP peering is configured.
-- CMP state change is occurred on one of the blades.
-- BGP ingress ACK packet is disaggregated to TMM, which either wrong TMM or not ready to process the packet of already established connection

Impact:
Affected BGP peering is reset and dynamic routes learnt by the configured protocol are withdrawn, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decisions are from networks learnt by affected routing protocols when the routing process on the BIG-IP system becomes unreachable. However, this state is short-lived, because the peering is recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There is no workaround, but the issue was never seen with a configuration where CMP hash of affected VLAN is changed back to Default value.


793669-6 : FQDN ephemeral pool members on high availability (HA) pair does not get properly synced of the new session value

Component: Local Traffic Manager

Symptoms:
On a high availability (HA) paired device group configuration, where there are FQDN nodes as pool members in a pool, when the pool member is enabled or disabled on one device, and with config-sync, the other device does not fully update the peer. The template node gets updated with the new value, but the ephemeral pool member retains the old value.

Conditions:
Steps to Reproduce:
1. Configure HA, specifically a Device group (e.g., Failover) with two BIG-IP systems.
2. Create an HTTP pool (TEST_FQDN_POOL) and FQDN Pool Member on both systems.
3. Wait for the FQDN pool member to report as AVAIL_GREEN and the ephemeral node as AVAIL_BLUE on both systems.
4. Tmsh login to any of the systems.
5. Run the command:
tmsh run cm config-sync to-group Failover
6. Run the command:
tmsh modify ltm pool TEST_FQDN_POOL members modify { example.com:http { session user-disabled } }
7. Run the command:
tmsh run cm config-sync force-full-load-push to-group Failover

Impact:
FQDN pool member enabling/disabling is not being fully propagated to the other device after config-sync.

Workaround:
None.


791669-3 : TMM might crash when Bot Defense is configured for multiple domains

Component: Application Security Manager

Symptoms:
TMM might crash and generate a core file when using a Bot Defense profile that is configured for multiple domains.

Conditions:
Bot Defense is configured with multiple 'Related Site Domains' and attached to a virtual server.

Impact:
TMM crash with core. Traffic disrupted while tmm restarts.

Workaround:
None,


789857-4 : "TCP half open' reports drops made by LTM syn-cookies mitigation.

Component: Advanced Firewall Manager

Symptoms:
'TCP half open' reports drops in logs/tmctl/AVR even though it is configured in detect-only mode.

Conditions:
-- 'TCP half open' attack is being actively detected.
-- LTM syn-cookie mitigation is enabled.
-- This is triggered when LTM syn-cookies mitigation begins.

Impact:
It will appear that 'TCP half open' is doing mitigation, but it is actually LTM syn-cookies dropping the connections.

Workaround:
If LTM syn-cookies are not needed, disable the option:

modify ltm global-settings connection default-vs-syn-challenge-threshold infinite global-syn-challenge-threshold infinite


789421-5 : Resource-administrator cannot create GTM server object through GUI

Component: Global Traffic Manager (DNS)

Symptoms:
Users logged in with a role of resource-administrator are unable to create a GTM server object via GUI. The warning banner reports 'No Access'.

Conditions:
A user with a role of resource-administrator attempts to create a GTM server object.

Impact:
Unable to create GTM server object via the GUI.

Workaround:
Use tmsh or iControl/REST.


788577-8 : BFD sessions may be reset after CMP state change

Component: TMOS

Symptoms:
A CMP (Clustered Multiprocessing) state change occurs when the state of the BIG-IP system changes.

This happens in the following instances:
  - Blade reset.
  - Booting up or shutting down.
  - Running 'bigstart restart'.
  - Setting a blade state from/to primary/secondary.

During these events, Bidirectional Forwarding Detection (BFD) session processing ownership might be migrating from old, processing TMMs to new, selected TMMs. This process is rapid and could lead to contest between several TMMs over who should be the next BFD processing owner.

It might also lead to a situation where the BFD session is deleted and immediately recreated.

This problem occurs rarely and only on a chassis with more than one blade.

Conditions:
-- VIPRION chassis with more than one blade.
-- CMP hash of affected VLAN is changed from the Default value, for example, to Source Address.
-- BFD peering is configured.
-- CMP state change is occurred on one of the blades.
-- BFD connection is redistributed to the processing group (TMMs) on the blade that experienced the CMP state change and the contest between the old TMM owner and the new TMM owner occurs.

Impact:
When the BFD session is recreated, it marks corresponding routing protocol DOWN if it's configured. The protocol might be BGP, OSPF, or any other routing protocols that support BFD.

This causes the routing protocol to withdraw dynamic routes learnt by the configured protocol, making it impossible to advertise dynamic routes of affected routing protocols from the BIG-IP system to the configured peers. This can lead to unexpected routing decisions on the BIG-IP system or other devices in the routing mesh.

In most cases, unexpected routing decision are from networks learnt by affected routing protocols when the routing process on the BIG-IP system become unreachable. However, this state is short-lived, because the peering will be recreated shortly after the routing protocol restarts. The peering time depends on the routing configuration and responsiveness of other routing devices connected to the BIG-IP system. It's the usual routing convergence period, which includes setting the peering and exchanging routing information and routes.

Workaround:
There are two workarounds, although the latter is probably impractical:

-- Change CMP hash of affected VLAN to the Default value.
-- Maintain a chassis with a single blade only. Disable or shut down all blades except one.


788465-6 : DNS cache idx synced across HA group could cause tmm crash

Component: Global Traffic Manager (DNS)

Symptoms:
DNS cache idx conflicts and tmm crash.

Conditions:
-- High availability (HA) configuration.
-- DNS cache is configured and synced to the peer twice
-- A second DNS cache is configured on the peer.

Impact:
The idx conflicts will be observed. If the second DNS cache is of another type and is added to a virtual server, accessing that virtual server might cause a tmm core. Traffic disrupted while tmm restarts.

Workaround:
On the BIG-IP system that has the DNS cache idx conflicts, restart tmm:
# bigstart restart tmm


785877-4 : VLAN groups do not bridge non-link-local multicast traffic.

Component: Local Traffic Manager

Symptoms:
VLAN groups do not bridge non-link-local multicast traffic.

Conditions:
-- VLAN groups configured.
-- Using non-link-local multicast traffic.

Impact:
Non-link-local multicast traffic does not get forwarded.

Workaround:
None.


785361-2 : In L2wire mode packets from srcIP 0.0.0.0 will be silently dropped

Component: Local Traffic Manager

Symptoms:
If the BIG-IP system is configured in L2Wire mode, packets from srcIP 0.0.0.0 are dropped.

Conditions:
L2Wire mode.

Impact:
All srcIP 0.0.0.0 packets are dropped silently.

Workaround:
Configure the virtual server to be in L2-forward mode.


785017-5 : Secondary blades go offline after new primary is elected

Component: TMOS

Symptoms:
Secondary active blades go offline.

Conditions:
-- Cluster with three or more active blades.
-- Primary blade is rebooted.

For example, on a 4-bladed system, after slot 1 (primary blade) was rebooted and slot 2 (secondary blade) takes over as primary, slots 3 and 4 both go offline due to high availability (HA) table, with the logs showing reason as 'waiting for configuration load'.

Impact:
Cluster reduced to a single blade, which may impact performance.

Workaround:
None.


783125-5 : iRule drop command on DNS traffic without Datagram-LB may cause TMM crash

Component: Global Traffic Manager (DNS)

Symptoms:
The TMM may crash and restart when an iRule on a DNS virtual server performs the 'drop' command while the BIG-IP system is handling both a DNS request and DNS response at the same time for the same DNS client IP and port without UDP Datagram-LB.

Conditions:
-- The BIG-IP instance has two or more TMM processes as a result of having two or more physical cores or virtual CPUs.
-- A virtual server with both DNS and UDP profiles and one or more iRules.
-- The UDP profile has Datagram LB disabled.
-- The iRules have a 'drop' command.
-- The iRules have a DNS_REQUEST and/or DNS_RESPONSE event with an iRule command that require coordinating data with another TMM on the system, such as the 'table' command.

Impact:
TMM crash or restart. Traffic impacted. Traffic disrupted while tmm restarts.

Workaround:
F5 strongly recommends using a UDP profile with Datagram-LB enabled for DNS UDP virtual servers.

Alternatively, replace the 'drop' command with DNS::drop in DNS_REQUEST and DNS_RESPONSE events, or with UDP::drop in other iRule events.

See the respective references pages for DNS::drop and UDP::drop for the Valid Events each iRule command is available in:
    https://clouddocs.f5.com/api/irules/DNS__drop.html
    https://clouddocs.f5.com/api/irules/UDP__drop.html


780857-1 : HA failover network disruption when cluster management IP is not

Component: Local Traffic Manager

Symptoms:
If the cluster management IP address is not in the list of failover network unicast addresses, the blade management IP addresses in the unicast mesh will not be able to receive failover messages from peer devices.

Conditions:
-- VIPRION chassis or vCMP guest on a VIPRION chassis.
-- Per-blade management IP addresses listed in the failover network unicast mesh.
-- No cluster management IP address listed.

Impact:
The blade management IP addresses in the failover network unicast mesh stop functioning:

[root@VIP2200-R75-S5:/S1-green-P::Standby:In Sync] config # tmctl -w 200 -S sod_tg_conn_stat
entry_key local_failover_addr remote_device_name pkts_received transitions last_msg status
----------------------------- ------------------- ------------------------------ ------------- ----------- ---------- ------
10.200.75.8->10.10.10.1:1026 10.10.10.1:1026 VIP2200-R75-S8.sin.pslab.local 3249 3 1555399271 1
10.200.75.8->10.200.75.3:1026 10.200.75.3:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--
10.200.75.8->10.200.75.4:1026 10.200.75.4:1026 VIP2200-R75-S8.sin.pslab.local 0 1 0 0 <--

Workaround:
You can add an explicit management IP firewall rule to allow this traffic:

tmsh modify security firewall management-ip-rules rules add { accept_udp_1026 { place-before first ip-protocol udp destination { ports add { 1026 } } action accept } }

This will add a firewall policy so port 1026 is no longer locked down, and the blade management IP addresses in the unicast mesh should begin to function properly.


780745-4 : TMSH allows creation of duplicate community strings for SNMP v1/v2 access

Component: TMOS

Symptoms:
TMSH allows you to create multiple access records with the same IP protocol, same Source IP network, and same community string.

Conditions:
Duplicate access records are created in TMSH.

Impact:
Unintended permissions can be provided when an undesired access record with the correct community string is matched to a request instead of the desired access record.

Workaround:
Use the Configuration Utility to manage SNMP v1/2c access records. (The GUI properly flags the error with the message:
The specified SNMP community already exists in the database.

If you use tmsh, ensure that community strings remain unique within each Source IP Network for each IP protocol.


780437-7 : Upon rebooting a VIPRION chassis provisioned as a vCMP host, some vCMP guests can return online with no configuration.

Component: TMOS

Symptoms:
It is possible, although unlikely, for a vCMP host to scan the /shared/vmdisks directory for virtual disk files while the directory is unmounted.

As such, virtual disk files that existed before the reboot will not be detected, and the vCMP host will proceed to create them again.

The virtual disks get created again, delaying the guests from booting. Once the guests finally boot, they have no configuration.

Additionally, the new virtual disk files are created on the wrong disk device, as /shared/vmdisks is still unmounted.

Symptoms for this issue include:

-- Running the 'mount' command on affected host blades and noticing that /shared/vmdisks is not mounted.

-- Running the 'tmsh show vcmp guest' command on affected host blades (early on after the reboot) and noticing some guests have status 'installing-vdisk'.

-- Running the 'lsof' command on affected and unaffected host blades shows different device numbers for the filesystem hosting the virtual disks, as shown in the following example (note 253,16 and 253,1):

qemu-kvm 19386 qemu 15u REG 253,16 161061273600 8622659 /shared/vmdisks/s1g2.img

qemu-kvm 38655 qemu 15u REG 253,1 161061273600 2678798 /shared/vmdisks/s2g1.img

-- The /var/log/ltm file includes entries similar to the following example, indicating new virtual disks are being created for one of more vCMP guests:

info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Adding.
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:0]
notice vcmpd[x]: 01510006:5: Guest (s2g1): Creating VDisk (/shared/vmdisks/s2g1.img)
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:1]
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_ACQUIRING_VDISK->VS_WAITING_INSTALL
info vcmpd[x]: 01510007:6: Guest (s2g1): VS_WAITING_INSTALL->VS_INSTALLING_VDISK
notice vcmpd[x]: 01510006:5: Guest (s2g1): Installing image (/shared/images/BIGIP-12.1.2.0.0.249.iso) to VDisk (/shared/vmdisks/s2g1.img).
info vcmpd[x]: 01510007:6: VDisk (s2g1.img/2): Syncing with MCP - [filename:s2g1.img slot:2 installed_os:0 state:2]

Conditions:
-- VIPRION chassis provisioned in vCMP mode with more than one blade in it.

-- Large configuration with many guests.

-- The VIPRION chassis is rebooted.

-- A different issue, of type 'Configuration from primary failed validation' occurs during startup on one or more Secondary blades. By design, MCPD restarts once on affected Secondary blades, which is the trigger for this issue. An example of such a trigger issue is Bug ID 563905: Upon rebooting a multi-blade VIPRION or vCMP guest, MCPD can restart once on Secondary blades.

Impact:
-- Loss of entire configuration on previously working vCMP guests.

-- The /shared/vmdisks directory, in its unmounted state, may not have sufficient disk space to accommodate all the virtual disks for the vCMP guests designated to run on that blade. As such, some guests may fail to start.

-- If you continue using the affected guests by re-deploying configuration to them, further configuration loss may occur after a new chassis reboot during which this issue does not happen. This occurs because the guests would then be using the original virtual disk files; however, their configuration may have changed since then, and so some recently created objects may be missing.

Workaround:
There is no workaround to prevent this issue. However, you can minimize the risk of hitting this issue by ensuring you are running a software version (on the host system) where all known 'Configuration from primary failed validation' issues have been resolved.

If you believe you are currently affected by this issue, please contact F5 Networks Technical Support for assistance in recovering the original virtual disk files.


779857-3 : Misleading GUI error when installing a new version in another partition

Component: TMOS

Symptoms:
While installing a new version in another partition, the GUI displays an error for a brief time:

'Install Status':Failed Troubleshooting

Conditions:
Install a new version in another partition.

Impact:
The GUI error is misleading. It is showing the install status as 'Failed Troubleshooting' even though the installation is proceeding normally. The installation process is proceeding normally; only the error is incorrect and does not indicate a problem with the installation.

Workaround:
If you click on the 'Troubleshooting' link on the GUI screen, the GUI indicates that it is actually installing properly without any error.


778501-3 : LB_FAILED does not fire on failure of HTTP/2 server connection establishment

Component: Local Traffic Manager

Symptoms:
When the server connection fails to be established due to server being down or actively rejecting the connection, LB_FAILED should fire and allow a new destination to be selected via iRule.

Conditions:
- iRule with LB_FAILED event
- server connection establishment fails

Impact:
Selection of a new destination via LB_FAILED is not possible, thus the client connection will be aborted.

Workaround:
No workaround available.


778225-4 : vCMP guests don't have the f5_api_com key and certificate installed when licensed by vCMP host

Component: Protocol Inspection

Symptoms:
Automatic hitless upgrade for protocol inspection fails on vCMP guests. This occurs because vCMP guest don't install f5_api_com key and certificates.

Conditions:
After licensing a vCMP guest, there is no f5_api_com key or certificate (you can run key_cache_path and crt_cache_path to determine that).

Impact:
Hitless upgrade fails for protocol inspection and traffic classification on vCMP guests.

Workaround:
Install the hitless upgrade IM package manually.


778041-4 : tcpdump fails with an unclear message when the 'epva' option is used on non-epva platforms (directly or through 'all' option)

Component: TMOS

Symptoms:
When tcpdump is invoked with the epva option on a non-epva platform (BIG-IP Virtual Edition, for example), it fails with an unclear message

errbuf:DPT Provider fatal error. Provider:ePVA Provider. No valid arguments.

Conditions:
-- Using a non-epva platform such as VE.
-- Calling the epva option:
  + Directly:
tcpdump -i 0.0 --f5 epva
  + Indirectly using 'all' (which includes epva):
tcpdump -i 0.0 --f5 all

Impact:
Unclear message does not give clear indication what the issue is, or how to get tcpdump to run with the 'all' option on non-epva platforms

Workaround:
Do not use the explicit epva option on non-epva platforms (it does not work anyway, as there is no epva debug information on those platforms).

Instead of 'all', explicitly specify other, non-epva providers on such platforms, for example, specifying 'noise' and 'ssl' providers:
tcpdump -i 0.0 --f5 n,ssl


777389-6 : In a corner case, for PostgreSQL monitor MCP process restarts

Component: TMOS

Symptoms:
MCP expects a monitoring response from SQL server and starts polling for data continuously, resulting in infinite loop.

Conditions:
In one of the corner cases of SQL monitoring, MCP expects to read monitoring data from the PostgreSQL server, but there is no data available to read.

Impact:
MCPD goes into an infinite loop and skips the heartbeat report, resulting in its restart. While MCPD is restarting, the system is offline and does not process traffic. After restart, system operation returns to normal.

Workaround:
None.


776393-4 : Memory leak in restjavad causing restjavad to restart frequently with OOM

Component: TMOS

Symptoms:
Restjavad frequently (approximately every 5 minutes) restarting due to OutOfMemory:Java heap space with no extra memory.

Conditions:
-- BIG-IP system with no extra memory given to restjavad.
-- The configuration contains a large number of configuration items related to APM access-policies, APM policy-items, APM policy agents, LTM nodes, LTM rules, DNS Requests, sys application services, LTM data-groups, LTM profiles, security bot-defense profiles, and sys file ssl-certs.

Impact:
REST API intermittently unavailable.

Workaround:
Give restjavad extra memory. This is two-step process.

1. Update memory allocated to the control plane using TMUI. System :: Resource Provisioning. The line for Management has a drop-down box for Small, Medium, or Large. The resulting sizes for restjavad is 192, 352, and 592, respectively. Set this to Large.

2. Run the following two commands, in sequence:
   tmsh modify sys db restjavad.useextramb value true
   bigstart restart restjavad


775797-4 : Previously deleted user account might get authenticated

Component: TMOS

Symptoms:
A user account which may have originally been manually configured as a local user (auth user) but may have since been removed, might still get authenticated and be able to modify the BIG-IP configuration.

Conditions:
-- User account configured as local user.
-- The user account is deleted later.

(Note: The exact steps to produce this issue are not yet known).

Impact:
The deleted user that no longer exists in the local user list and which is also not explicitly authorized by remote role groups, can get authenticated. The deleted user is also able to modify the BIG-IP configuration via iControl.

Workaround:
None.


768085-6 : Error in python script /usr/libexec/iAppsLX_save_pre line 79

Component: iApp Technology

Symptoms:
While creating a UCS file, you see a confusing error message, and the UCS file is not created:
Failed task: %s: %s"%(taskUri, taskResult['message']))"

Conditions:
This can be encountered while trying to create a UCS file.

Impact:
Certain failure messages are not interpreted correctly by the script, resulting in the actual error message not being displayed.

Workaround:
None.


767217-4 : Under certain conditions when deleting an iRule, an incorrect dependency error is seen

Component: Local Traffic Manager

Symptoms:
If an iRule is being referenced by another iRule, and the reference is then removed, attempts to delete the formerly referenced iRule will result in an error similar to the following:

01070265:3: The rule (/Common/irule1) cannot be deleted because it is in use by a rule (/Common/irule2).

Conditions:
-- An iRule referencing another iRule.
-- The referencing iRule is in use.

Impact:
Unable to delete the iRule.

Workaround:
Save and re-load the configuration.


766593-6 : RESOLV::lookup with bytes array input does not work when length is exactly 4, 16, or 20

Component: Local Traffic Manager

Symptoms:
RESOLVE::lookup returns empty string.

Conditions:
Input bytes array is at length of 4, 16, or 20.

For example:
[RESOLV::lookup @dnsserveraddress -a [binary format a* $host1.d1test.com]]

Impact:
RESOLVE::lookup returns empty string.

Workaround:
Use lindex 0 to get the first element of the array.

For example:
[RESOLV::lookup @dnsserveraddress -a [lindex [binary format a* $host1.d1test.com] 0]]


766017-7 : [APM][LocalDB] Local user database instance name length check inconsistencies

Component: Access Policy Manager

Symptoms:
Tmsh accepts long localdb instance names, but ldbutil later refuses to work with names longer than 64 characters.

The GUI limits the instance name length to 64 characters including the partition prefix, but this is not obvious to the admin.

Conditions:
-- Create a 64 character long local user database instance using tmsh.
-- Try to add users to this instance or try to delete the instance from the GUI.

Impact:
A tmsh-created localdb instance with a name length greater than 64 characters can be created but cannot be used.

Workaround:
Delete instance from tmsh and re-create it with a shorter name.


764969-1 : ILX no longer supports symlinks in workspaces as of v14.1.0

Component: Local Traffic Manager

Symptoms:
The GUI and TMSH report an error message if a symlink is present, and the workspace does not run. The error appears similar to the following:
General database error retrieving information.
General error: 01070711:3: boost::filesystem::status: Permission denied: "/var/ilx/workspaces/Common/test_links1/tmp_file" in statement [SELECT COUNT(*) FROM dev_workspace WHERE name LIKE '%'].

Conditions:
-- An ILX workspace is in the configuration.
-- The workspace contains a symlink.
-- Install the relevant rpm package with --no-bin-links (e.g., npm install <package-name> --no-bin-links).

Impact:
The ILX module is not accessible via the GUI, and the workspace with the symlink cannot be run.

Workaround:
1. Remove the symlink.
2. Copy the file into the workspace.


762137-4 : Ping6 with correctly populated NDP entry fails

Component: Local Traffic Manager

Symptoms:
TMM NDP entries show correct info with neighbor discovery protocol (NDP) resolved but ping6 fails

Conditions:
This occurs only on a cluster setup. Other conditions that cause the issue are unknown.

Impact:
Ping6 fails for that address.

Workaround:
None.


762097-4 : No swap memory available after upgrading to v14.1.0 and above

Component: TMOS

Symptoms:
After an upgrade to v14.1.0 or higher, swap memory may not be mounted. TMM or other host processes may restart due to lack of memory.

Conditions:
-- System is upgraded to v14.1.0 or above.

-- System has RAID storage.

Impact:
May lead to low or out-of-memory condition. The Linux oom killer may terminate processes, possibly affecting service.

Typically management activities may be impacted, for example, a sluggish GUI (config utility) or tmsh sessions.

Workaround:
Mount the swap volume with correct ID representing the swap device.

Perform the following steps on the system after booting into the affected software version:

1. Get the correct ID (RAID device number (/dev/md<number>)):
blkid | grep swap

Note: If there is no RAID device number, perform the procedure detailed in the following section.

2. Check the device or UUID representing swap in /etc/fstab.

3. If swap is not represented with the correct ID, modify the /etc/fstab swap entry to point to the correct device.

4. Enable the swap:
swapon -a

5. Check swap volume size:
swapon -s


If the blkid command shows there is no UUID associated with the swap RAID device, use the following procedure:

1. Generate a random UUID:
uuidgen

2. Make sure swap is turned off:
swapoff -a

3. Recreate the swap partition with UUID generated in step 1:
mkswap -U <uuid_from_step_1> <raid_device_from_step_1>

4. Run blkid again to make sure that you now have a UUID associated with the raid device:
blkid | grep swap

5. edit fstab and find the line
      <old_value> swap swap defaults 0 0

6. Replace the old value, whether it was an incorrect UUID or a device name, with the UUID generated in step 1, for example:
      UUID=8b35b30b-1076-42bb-8d3f-02acd494f2c8 swap swap defaults 0 0


760932-2 : Part of APM log messages are also in other logs when strings are long

Component: TMOS

Symptoms:
APM logs are also in other logs like /var/log/user.log and /var/log/messages.

Conditions:
-- When APM log message strings are long.
-- APM in use.

Impact:
Log messages are duplicated. There is no indication of system functionality, and you can safely ignore them.

Workaround:
None.


760752-4 : Internal sync-change conflict after update to local users table

Component: Device Management

Symptoms:
-- The 'top' command shows Java and mcpd becoming CPU intensive.
-- /var/log/audit shows many 'modify { user_role_partition { user_role_partition_user ...'
-- /var/log/restjavad-audit.0.log shows many REST API calls to 'http://localhost:8100/mgmt/shared/gossip' from the peer.

Conditions:
-- Create a new admin user with bash access on a device.

Impact:
High CPU usage (Java and mcpd) on control and analysis plane.

Workaround:
To work around this issue, follow these steps:

1. Sync from the device where the user was created.
2. Run the following command on all devices:
tmsh restart sys service restjavad

Although Java and mcpd will still show high CPU usage even after restart, waiting a few minutes enables the processes to return to normal.


760740-4 : Mysql error is displayed when saving UCS configuration on BIG-IP system when MySQL is not running

Component: Protocol Inspection

Symptoms:
When saving the configuration to a UCS file, the process tries save the IPS learning information stored in the MySQL database.

MySQL runs only when particular modules are provisioned. If MySQL was previously running as a result of different provisioning, but is not currently running, saving the configuration to a UCS file succeeds, but the system reports a spurious message during the operation:

Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock.

Conditions:
-- Saving the configuration to a UCS file.
-- BIG-IP system provisioning only includes modules that do not require MySQL. These modules may include:
   + LTM
   + FPS
   + GTM (DNS)
   + LC
   + SWG
   + iLX
   + SSLo

-- BIG-IP system was previously provisioned with a module that starts MySQL, which results in the creation of the file /var/db/mysqlpw. These modules may include:
   + APM
   + ASM
   + AVR
   + PEM
   + AFM
   + vCMP

Impact:
The error message is cosmetic and has no impact on the UCS save process.

Workaround:
None.


760629-6 : Remove Obsolete APM keys in BigDB

Component: Access Policy Manager

Symptoms:
Several APM/Access BigDB keys are obsolete and should be removed as they only add confusion

Conditions:
--BigIp is UP and Running

Impact:
Though those keys are not being used they create confusion as a placeholder

Workaround:
Remove those keys from BigDB and control plane side as those are not being used. But don't remove the keys which has still dependancies with other modules and also don/'t remove those keys used in upgrade


760590-5 : TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server

Component: Local Traffic Manager

Symptoms:
TCP Verified-Accept with proxy-mss enabled does not honor the route-metrics cache when sending the SYN to the server

Conditions:
-- TCP Verified-Accept option is used.
-- The proxy-mss is enabled.
-- The route-metrics cache entry is enabled.

Impact:
Route-metrics cache entry does not get used.

Workaround:
None.


760354-2 : Continual mcpd process restarts after removing big logs when /var/log is full

Component: TMOS

Symptoms:
Unit suddenly stops passing traffic. You might see errors similar to the following:

err mcpd[15230]: 01070596:3: An unexpected failure has occurred, TAP creation failed (tmm): Permission denied - net/validation/routing.cpp, line 168, exiting...

Conditions:
This might occur when when /var/log is full and then you remove big logs.

Impact:
The mcpd process restarts continuously. This occurs because tmm blocks mcpd from restarting after /var/log fills up.

Workaround:
Fix the logs and reboot the BIG-IP system.


759737-4 : Control and Analysis Plane CPU usage statistics are inaccurate for single core vCMP guests

Component: TMOS

Symptoms:
CPU usage statistics reported for Control and Analysis planes are not described properly for single-core vCMP guests.

Conditions:
A vCMP guest with a single core.

Impact:
CPU usage statistics report 0 Control Plane cores and 1 Analysis Plane core.

Workaround:
On a single core, two hyperthread vCMP guest, one hyperthread/CPU is dedicated to Data Plane while the other is dedicated to Control and Analysis Plane. All statistics attributed to the Analysis Plane in this CPU configuration are in fact the aggregate of Control Plane and Analysis Plane.


759590-7 : Creation of RADIUS authentication fails with service types other than 'authenticate only'

Component: TMOS

Symptoms:
RADIUS authentication can only have an initial service type of 'authenticate only'.

Conditions:
This is encountered when configuring RADIUS authentication via the GUI.

Impact:
If you change the Service Type to anything except Authenticate Only (default), Authentication creation fails, and the following error appears in /var/log/webui.log:

01020066:3: The requested RADIUS Authentication Configuration (/Common/system-auth) already exists in partition Common.

Workaround:
After configuring RADIUS authentication with 'authenticate only' as the service type, go back and change the service type to the desired option.


759564-1 : GUI not available after upgrade

Component: TMOS

Symptoms:
After installing over the top of a previous version, the Management GUI is inaccessible while SSH access works. You may see one or more of the following conditions

    Shell prompt may show logger[1234]: Re-starting named
    bigstart restart httpd fails
    bigstart start httpd fails

Conditions:
Installation over a previously used Boot Volume

Impact:
Corrupt install

Workaround:
Boot back to previous boot volume and then delete the boot volume containing the failed install.


758491-4 : When using NetHSM integration, after upgrade to 14.1.0 or later (or creating keys using fipskey.nethsm), BIG-IP cannot use the keys

Component: Local Traffic Manager

Symptoms:
For Thales:
The ltm/log shows SSL handshake failures with similar lines (this is for Diffie-Hellman Key Exchange):

-- warning bigip1 tmm1[28813] 01260013 SSL Handshake failed for TCP 192.0.2.1:5106 -> 192.0.2.200:5607
-- warning bigip1 tmm1[28813] 01260009 Connection error: ssl_hs_vfy_sign_srvkeyxchg:13583: sign_srvkeyxchg (80)
-- debug bigip1 tmm1[28813] 01260036 FIPS acceleration device error: fips_poll_completed_reqs: req: 4 status: 0x1 : Cancel
-- err bigip1 pkcs11d[26259] 01680002 Key table lookup failed. error.

After enabling pkcs11d debug, the pkcs11d.debug log shows:

-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_CLASS
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_CLASS matches
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute class CKO_PRIVATE_KEY attribute CKA_ID
-- 2019-10-03 11:21:50 [6399] t00075a9a462b0000: pkcs11: 000008D9 D obj_match_attribute type CKA_ID does not match <===


For Safenet:
-- warning tmm1[17495]: 01260009:4: Connection error: ssl_hs_vfy_sign_srvkeyxchg:13544: sign_srvkeyxchg (80)
-- warning tmm1[17495]: 01260013:4: SSL Handshake failed for TCP 10.1.1.11:6009 -> 10.1.1.201:443
-- err pkcs11d[5856]: 01680002:3: Key table lookup failed. error.

Conditions:
1. Keys were created on earlier versions of BIG-IP software, no matter if using tmsh (Safenet) or using fipskey.nethsm (Thales, Safenet) and the device was upgraded to 14.1.0 or later.

2. Keys were created on BIG-IP v14.1.0 or later directly, using fipskey.nethsm (Thales). For Safenet, fipskey.nethsm was deprecated in 14.0.0.

Impact:
SSL handshake failures.

Workaround:
There are two workarounds:
-- Re-create the keys using tmsh command.

IMPORTANT: This workaround is suitable for deployments that are new and not in production.


-- Re-import the keys from nethsm using:
tmsh install sys crypto key <key_label> from-nethsm


You can find the key_label here:
-- The rightmost string in the output of the Thales command:
nfkminfo -l

-- The string after label= in the 'cmu list' command for Safenet.


758435-3 : Ordinal value in LTM policy rules sometimes do not work as expected

Component: Local Traffic Manager

Symptoms:
Which actions trigger in a first-match policy should depend on the ordinal of their rule. Sometimes, this does not work correctly.

Conditions:
The conditions under which this occurs are not known.

Impact:
LTM policy rules do not execute in the expected order.

Workaround:
It may be possible to re-arrange the rules to avoid the incorrect action execution.


757787-4 : Unable to edit LTM Policies that belong to an Application Service (iApp) using the WebUI.

Component: TMOS

Symptoms:
When creating a new rule or modifying an existing rule in a LTM Policy using the WebUI, the operation fails and an error similar to the following example is returned:

Transaction failed:010715bd:3: The parent folder is owned by application service (/Common/MyPolicy.app/MyPolicy), the object ownership cannot be changed to ().

Conditions:
-- The LTM Policy belongs to an Application Service (iApp).
-- The modification is attempted via the WebUI.

Impact:
Unable to make changes to existing LTM Policies.

Workaround:
Use the tmsh utility to make the necessary modifications to the LTM Policy. For example, the following command modifies an existing rule:

tmsh modify ltm policy myapp.app/Drafts/myapp_l7policy rules modify { 0 { conditions modify { 0 { http-method equals values { GET POST } } } } }


757279-4 : LDAP authenticated Firewall Manager role cannot edit firewall policies

Component: Advanced Firewall Manager

Symptoms:
The system posts the following message when the LDAP authenticated Firewall Manager role creates/modifies a firewall policy with rules or upgrading existing firewall policy:
User does not have modify access to object (fw_uuid_config).

Conditions:
-- Log in using an account with the Firewall Manager role.
-- Create/modify firewall policy with rules or upgrade existing firewall policy.

Impact:
Firewall modification operations fail with access to object (fw_uuid_config) error.

Workaround:
None.


757029-7 : Ephemeral pool members may not be created after config load or reboot

Component: Local Traffic Manager

Symptoms:
When using FQDN nodes and pool members, ephemeral pool members may not be created as expected immediately after a configuration-load or BIG-IP system reboot operation.

Conditions:
This may occur on affected BIG-IP versions when:

-- Multiple FQDN names (configured for FQDN nodes/pool members) resolve to the same IP address.
-- DNS queries to resolve these FQDN names occur almost simultaneously.

The occurrence of this issue is very sensitive to timing conditions, and is more likely to occur when there are larger numbers of FQDN names resolving to a common IP address.

Impact:
When this issue occurs, some subset of ephemeral pool members may not be created as expected.

As a result, some pools may not have any active pool members, and do not pass traffic.

This issue, when it occurs, may persist until the next DNS queries occur for each FQDN name, at which point the missing ephemeral pool members are typically created as expected. Using the default FQDN interval value of 3600 seconds, such downtime lasts approximately one hour.

Workaround:
To minimize the duration of time when pools may be missing ephemeral pool members, configure a shorter FQDN interval value for the FQDN nodes:

tmsh mod ltm node fqdn-node-name { fqdn { interval ## } }
Where ## is the desired number of seconds between successive DNS queries to resolve the configure FQDN name.


756313-8 : SSL monitor continues to mark pool member down after restoring services

Component: Local Traffic Manager

Symptoms:
After an HTTPS monitor fails, it never resumes probing. No ClientHello is sent, just 3WHS and then 4-way closure. The pool member remains down.

Conditions:
-- The cipherlist for the monitor is not using TLSv1 (e.g., contains -TLSv1 or !TLSv1).
-- The pool member is marked down.

Impact:
Services are not automatically restored by the health monitor.

Workaround:
-- To restore the state of the member, remove it and add it back to the pool.

-- Remove !TLSv1 and -TLSv1 from the cipher string, if possible.


756139-5 : Inconsistent logging of hostname files when hostname contains periods

Component: TMOS

Symptoms:
Some logs write the hostname with periods (eg, say for FQDN. For example, /var/log/user.log and /var/log/messages files log just the hostname portion:

-- user.log:Aug 5 17:05:01 bigip1 ).
-- messages:Aug 5 16:57:32 bigip1 notice syslog-ng[2502]: Configuration reload request received, reloading configuration.


Whereas other log files write the full name:

-- daemon.log:Aug 5 16:58:34 bigip1.example.com info systemd[1]: Reloaded System Logger Daemon.
-- maillog:Aug 5 16:55:01 bigip1.example.com err sSMTP[12924]: Unable to connect to "localhost" port 25.
-- secure:Aug 5 17:02:54 bigip1.example.com info sshd(pam_audit)[2147]: 01070417:6: AUDIT - user root - RAW: sshd(pam_audit): user=root(root) partition=[All] level=Administrator tty=ssh host=10.14.13.20 attempts=1 start="Mon Aug 5 17:02:30 2019" end="Mon Aug 5 17:02:54 2019".
-- ltm:Aug 5 17:02:42 bigip1.example.com warning tmsh[2200]: 01420013:4: Per-invocation log rate exceeded; throttling.

Conditions:
BIG-IP hostname contains periods or an FQDN:

[root@bigip1:Active:Standalone] log # tmsh list sys global-settings hostname
sys global-settings {
    hostname bigip1.example.com
}

Impact:
Hostname is logged inconsistently. Some logs write the full hostname (FQDN), while other log files write only the hostname portion. This can make searching on hostname more complicated.

Workaround:
None.


755976-5 : ZebOS might miss kernel routes after mcpd deamon restart

Component: TMOS

Symptoms:
After an mcpd daemon restart, sometimes (in ~30% of cases) ZebOS is missing some of kernel routes (virtual addresses).

One of the most common scenario is a device reboot.

Conditions:
-- Dynamic routing is configured.
-- Virtual address is created and Route Advertisement is configured:
imish -e 'sh ip route kernel'
-- mcpd daemon is restarted or device is rebooted.

Impact:
The kernel route (virtual address) is not added to the ZebOS routing table and cannot be advertised.

Workaround:
There are several workarounds; here are two:

-- Restart the tmrouted daemon:
bigstart restart tmrouted

-- Recreate the affected virtual address.


753536-4 : REST no longer requires a token to login for TACACS use

Component: TMOS

Symptoms:
Configurations that previously used TACACS for authentication in order to make REST requests are no longer required to use a token for remote authentication. You can simply use username and password.

Conditions:
Use of remote authentication using TACACS.

Impact:
If you have scripts that automatically request tokens, you no longer need them.

Workaround:
None.


751451-1 : When upgrading to v14.0.0 or later, the 'no-tlsv1.3' option is missing from HTTPS monitors automatically created server SSL profiles

Component: Local Traffic Manager

Symptoms:
If there are HTTPS monitor objects that were created using BIG-IP software v12.x, when the BIG-IP is upgraded directly to v14.0.0 or later, the operation automatically creates server SSL profiles for the HTTPS monitors as needed. Those server SSL profile objects do not have 'no-tlsv1.3' included in their 'options' configuration.

Conditions:
-- Having HTTPS monitors configured in v12.x before upgrading.
-- Directly upgrading from v12.x to v14.0.0 or later

Impact:
TLSv1.3 gets enabled on the server SSL profiles.

Workaround:
-- To avoid this issue, upgrade from v12.x to v13.x, and then upgrade to v14.0.0 or later


-- To mitigate this issue, modify the affected profile to disable TLSv1.3.


751103-1 : TMSH: 'tmsh save sys config' prompts question when display threshold is configured which is causing scripts to stop

Component: TMOS

Symptoms:
Issuing the command 'tmsh save sys config' results in a question when display threshold is set and when management routes are configured. There is no prompt when no management routes are configured. This question is posted only when management-routes are configured, and does not appear when other provisioning commands are issued and the config is saved.

Conditions:
1. Set the cli preference display-threshold to a smaller value than the default.
2. Create management routes.
3. Issue the following command:
tmsh save sys config

Impact:
When there are more items configured than the threshold, the system presents a question:
Display all <number> items? (y/n)

Scripts are stopped until the prompt is answered.

Workaround:
To prevent the question from popping up, set display threshold to 0 (zero).


In the case of this script, you can also delete the management route definitions to prevent the question from being asked.


749757 : -s option in qkview help does not indicate maximum size

Component: TMOS

Symptoms:
When running qkview with the -h option to obtain help, the -s (size) option is incorrectly rendered.

It should read:

[ -s <max file size> range:0-104857600 Bytes ]

Conditions:
-- Running qkview -h.
-- Viewing the -s (size) option help.

Impact:
The measurement size, bytes, is missing, which might result in confusion.

Workaround:
Use the -s option as normal, but be advised that the number should be in bytes, and that the maximum number is 104857600.


747234-8 : Macro policy does not find corresponding access-profile directly

Component: Access Policy Manager

Symptoms:
The discovery task runs but does not apply the 'Access Access Policy' for the access policy for which the Provider is configured.

Conditions:
-- Auto-discovery is enabled for a provider.
-- Discovery occurs.

Impact:
The Access Policy is not applied after successful auto-discovery. The policy must be applied manually.

Workaround:
Apply the Access Policy manually after auto-discovery.


747020-3 : Requests that evaluate to same subsession can be processed concurrently

Component: Access Policy Manager

Symptoms:
Requests that evaluate to the same subsession can be processed concurrently in some cases

Conditions:
-- Per-Request policy with subroutines.
-- Duplicate requests are sent that match existing subsession gating criteria.

Impact:
The request gets aborted with error messages in /var/log/apm:
apmd_plugin.cpp func: "serialize_apmd_reply()" line: 495 Msg: AccessV2 agent execution error 4.

Workaround:
None.


746984-6 : False positive evasion violation

Component: Application Security Manager

Symptoms:
When Referer header contains a backslash character ('\') in query string portion, 'IIS backslashes' evasion technique violation is raised.

Conditions:
-- 'Url Normalization' is turned on and 'Evasion Techniques Violations' is enabled.
-- Referer header contains a backslash character ('\') in query string part.

Impact:
False positive evasion technique violation is raised for Referer header.

Workaround:
Turn off 'Url Normalization' on the 'Normalization Settings' section of the 'referer' property on the HTTP Header Properties screen.


742753-6 : Accessing the BIG-IP system's WebUI via special proxy solutions may fail

Component: TMOS

Symptoms:
If the BIG-IP system's WebUI is accessed via certain special proxy solutions, logging on to the system may fail.

Conditions:
This issue is known to happen with special proxy solutions that do one of the following things:

- Remove the Referer header.

- Modify the HTTP request in such a way that the Referer and Host headers no longer tally with one another.

Impact:
Users cannot log on to the BIG-IP system's WebUI.

Workaround:
As a workaround, you can do any of the following things:

- Access the BIG-IP system's WebUI directly (i.e., bypassing the problematic proxy solution).

- Modify the proxy solution so that it does not remove the Referer header (this is only viable if the proxy does not alter the Host header).

- Modify the proxy solution so that it inserts compatible Referer and Host headers.


742105-4 : Displaying network map with virtual servers is slow

Component: TMOS

Symptoms:
The network map loads slowly when it contains lots of objects.

Conditions:
Load the network map in a configuration that contains 1000 or more objects.

Impact:
The network map loads very slowly.

Workaround:
None.


741702-1 : TMM crash

Component: TMOS

Symptoms:
TMM crashes during normal operation.

Conditions:
-- This can occur while passing normal traffic.
-- In this instance, APM and LTM are configured.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


740589-5 : Mcpd crash with core after 'tmsh edit /sys syslog all-properties'

Component: TMOS

Symptoms:
Syslog-ng consumes more than 95% CPU starving other processes of CPU time. This leads to eventual mcpd crash with core.

Conditions:
Configuring nonexistent local IP addresses and remote log server.

Impact:
Abnormal CPU usage. Potential eventual mcpd crash with core.

Workaround:
To mitigate the issue, you can use either of the following:

-- Follow these two steps:
 1. Remove the remote log server from the configuration.
 2. Replace the nonexistent local IP addresses with self IP addresses.

-- Configure the remote destination host with a unique parameter in the configuration so that syslog does not get confused if there are multiple entries:
udp(192.0.2.1 port(512) localip(192.0.2.200) persist-name(r1));
udp(192.0.2.1 port(512) localip(192.0.2.201) persist-name(r2));
udp(192.0.2.100 port(512) localip(192.0.2.200) persist-name(r3));
udp(192.0.2.100 port(512) localip(192.0.2.201) persist-name(r4));


739507-4 : Improve recovery method for BIG-IP system that has halted from a failed FIPS integrity check

Component: TMOS

Symptoms:
After FIPS 140-2 license is installed on BIG-IP FIPS-certified hardware devices, the system halts while booting upon performing the FIPS integrity check.

Console shows messages similar to:
  Starting System Logger Daemon...
  [ OK ] Started System Logger Daemon.
  [ 14.943495] System halted.

Conditions:
-- The BIG-IP device has a license that includes the FIPS 140-2 option (FIPS full-box license).
-- System element monitored by FIPS 140-2 integrity check has changed.
-- The device is rebooted.

Impact:
The device halts and cannot be used.

Workaround:
Workaround:
[1] Connect a terminal to the BIG-IP serial console port.
[2] From the console, enter the GRUB menu and boot into a partition that does not have a FIPS 140-2-enabled license, or into TMOS Maintenance.
[3] Mount config from the inactive partition (see K51222154: Mounting the filesystem of an inactive partition :: https://support.f5.com/csp/article/K51222154) that was halted, and examine the contents of /config/f5_public/fipserr, which shows the files that were changed, leading to failure of the FIPS 140-2 license-enabled partition.
[4] Restore those files to their original ones.
[5] Truncate the inactive partition's /config/f5_public/fipserr, e.g., by running:
   cat /dev/null > /mnt/test/f5_public/fipserr
[6] Reboot.

If the system still halts, repeat from Step [1] above, until this no longer happens.


739505-4 : Automatic ISO digital signature checking not required when FIPS license active

Component: TMOS

Symptoms:
Automatic ISO digital signature checking occurs but is not required when FIPS license active.

The system logs an error message upon an attempt to install or update the BIG-IP system:
 failed (Signature file not found - /shared/images/BIGIP-13.1.0.0.0.1868.iso.sig)

Conditions:
When the FIPS license is active, digital signature checking of the ISO is automatically performed. This requires that both the ISO and the digital signature (.sig) file are uploaded to the system.

Impact:
Installation does not complete if the .sig file is not present or not valid. Installation failure.

Workaround:
To validate the ISO on the BIG-IP system, follow the procedure described in K24341140: Verifying BIG-IP software images using .sig and .pem files :: https://support.f5.com/csp/article/K24341140.


738045-8 : HTTP filter complains about invalid action in the LTM log file.

Component: Local Traffic Manager

Symptoms:
Payload data is collected at the HTTP_REQUEST event and finishes collecting (HTTP::release) when the NAME_RESOLVED event occurs. On releasing, data is forwarded to the serverside, triggering the HTTP_REQUEST_SEND event.
 
When trying to raise HTTP_REQUEST_SEND, the iRule queues it and returns IN_PROGRESS, because the system is already in the process of running TCLRULE_NAME_RESOLVED. (Nested iRules: TCLRULE_NAME_RESOLVED -> TCLRULE_HTTP_REQUEST_SEND)

Due to the IN_PROGRESS status, tcp_proxy skips forwarding HUDCTL_REQUEST to the serverside, but not the subsequent payload. So the HTTP filter considers this an invalid action.

Conditions:
-- Standard virtual server with iRules attached (for example, using the following configuration for a virtual server):

when HTTP_REQUEST {
    HTTP::collect
    NAME::lookup @10.0.66.222 'f5.com'
}
when NAME_RESOLVED {
    HTTP::release
}
when HTTP_REQUEST_SEND {
        log local0. "Entering HTTP_REQUEST_SEND"
}

-- Client sends two HTTP Post requests.
-- After the first request, the second connection is kept alive (for example, by using HTTP header Connection) so that the second request can reuse the same connection.

Impact:
The second request gets reset, and the system logs errors in the LTM log file.

Workaround:
To avoid nested iRules in this instance, simply remove the HTTP_REQUEST_SEND from the iRule.


738032-4 : BIG-IP system reuses cached session-id after SSL properties of the monitor has been changed.

Component: Local Traffic Manager

Symptoms:
The BIG-IP system maintains an SSL session cache for SSL (https) monitors. After changing the properties of an SSL monitor that might affect the operation of SSL, the BIG-IP continues to reuse an existing SSL session ID.

Conditions:
-- The BIG-IP system has cached session ID from previous SSL session.
-- SSL properties of monitor that might affect the operation of SSL are changed.
-- Monitor is using bigd.

Impact:
Sessions still use cached session ID. If session continues to succeed, session uses cached session ID till expiry.

Workaround:
-- Restart bigd.
-- Remove the monitor from the object and re-apply.
-- Use in-tmm monitors.


737322-5 : tmm may crash at startup if the configuration load fails

Component: TMOS

Symptoms:
Under certain circumstances, tmm may crash at startup if the configuration load fails.

Conditions:
This might occur after a configuration loading failure during startup, when TMM might take longer than usual to be ready.

Impact:
tmm crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


725646-1 : The tmsh utility cores when multiple tmsh instances are spawned and terminated quickly

Component: TMOS

Symptoms:
A tmsh core occurs when multiple tmsh instances are spawned and terminated quickly

/var/log/kern.log:
info kernel: tmsh[19017]: segfault ...

system messages in /var/log/messages:
notice logger: Started writing core file: /var/core/-tmsh ...

/var/log/audit:
notice -tmsh[19010]: 01420002:5: AUDIT - pid=19010 ...

Conditions:
This issue occurs intermittently in the following scenario:

1. Open multiple instances of tmsh using the following command pattern:
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
tmsh
run util bash
...
2. Quickly terminate them using Ctrl-D or by closing terminal.

Impact:
The tmsh utility crashes and produces a core file in the /shared/core directory. The BIG-IP system remains operational.

Workaround:
Restart tmsh if the problem occurs.

To prevent the issue from occurring: Do not quickly terminate tmsh instances using Ctrl-D.


723658-7 : TMM core when processing an unexpected remote session DB response.

Component: Carrier-Grade NAT

Symptoms:
Using CGNAT or FW-NAT on a cluster may cause a TMM core if there are intra-cluster communication issues that cause CMP state transitions.

The system writes messages to /var/log/tmm* similar to the following:

   notice CDP: exceeded 1/2 timeout for PG 1
   notice CDP: PG 1 timed out
   notice CDP: New pending state 0f -> 0d
   notice Immediately transitioning dissaggregator to state 0xd
   notice cmp state: 0xd
   notice CDP: New pending state 0d -> 0f
   ...
   notice cmp state: 0xf
   notice CDP: exceeded 1/2 timeout for PG 1

Conditions:
-- A LSN pool or FW-NAT source translation that has persistence enabled.
-- Intra-cluster communication issues that cause CMP state transitions.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
There is no workaround at this time.


723112-7 : LTM policies does not work if a condition has more than 127 matches

Component: Local Traffic Manager

Symptoms:
LTM policies do not work if number of matches for a particular condition exceeds 127.

Conditions:
LTM policy that has a condition with more than 127 matches.

Impact:
LTM policy does not match the expected condition.

Workaround:
There is no workaround at this time.


718796-6 : IControl REST token issue after upgrade

Component: Device Management

Symptoms:
When upgrading to version 13.1.0.x or later, users who previously had permissions to make calls to iControl REST lose the ability to make those calls.

Conditions:
-- Upgrading to version 13.1.0.x or later.
-- Using iControl REST.

Impact:
A previously privileged user can no longer query iControl REST. In addition, some remotely authenticated users may lose access to the Network Map and Analytics view after the upgrade.

Workaround:
You can repair the current users permissions with the following process:

   1) Delete the state maintained by IControlRoleMigrationWorker and let it rerun by restarting restjavad process:
      # restcurl -X DELETE "shared/storage?key=shared/authz/icontrol-role-migrator"
      # bigstart restart restjavad.

   2) Update shared/authz/roles/iControl_REST_API_User userReference list to add all affected users' accounts using PUT:
      # restcurl shared/authz/roles/iControl_REST_API_User > role.json
      # vim role.json and add { "link": "https://localhost/mgmt/shared/authz/users/[your-user-name]" } object to userReferences list
      # curl -u admin:admin -X PUT -d@role.json http://localhost/mgmt/shared/authz/roles/iControl_REST_API_User

Now, when you create a new user, the permissions should start in a healthy state.


718573-4 : Internal SessionDB invalid state

Component: TMOS

Symptoms:
TMM crashes.

Conditions:
SessionDB is accessed in a specific way that results in an invalid state.

Impact:
TMM crashes. Traffic disrupted while tmm restarts.

Workaround:
None.


717346-8 : [WebSocket ] tmsh show /ltm profile WebSocket current and max numbers far larger than total

Solution Article: K13040347

Component: Local Traffic Manager

Symptoms:
WebSocket profile statistics for current and maximum connections are always very large, even right after restarting the system. The numbers are several orders of magnitude larger than the statistics for total connections.

Conditions:
Rarely occurring, unstable network could be one of the reasons.

Impact:
Cannot use stats for troubleshooting.

Workaround:
Reset the stats using the following command:
# tmsh reset-stats ltm profile websocket


717174-4 : WebUI shows error: Error getting auth token from login provider

Component: Device Management

Symptoms:
Occasionally, the BIG-IP Admin Utility TMUI fails to function correctly and produces the following error:
Error getting auth token from login provider.

This occurs when the BIG-IP REST Daemon restjavad fails to start up properly.

Conditions:
This error most often occurs on the first or second boot after upgrade, and more often on Virtual Edition BIG-IP platforms running on oversubscribed or slow hypervisors.

Impact:
TMUI and any other BIG-IP system components that rely on REST Workers such as: OpenID Connect key rotation discovery, portions of the TMOS Web Configuration Utility, and Guided Configuration (AGC and WGC) fail to function properly.

Workaround:
Restarting the BIG-IP REST daemons restjavad and restnoded will usually correct the problem. To do so, connect to the SSH console and issue the following two commands:

bigstart restart restjavad
bigstart restart restnoded


716746-4 : Possible tmm restart when disabling single endpoint vector while attack is ongoing

Component: Advanced Firewall Manager

Symptoms:
tmm restarts.

Conditions:
-- AFM DoS single endpoint (sweep or flood) vector is configured.
-- The attack is ongoing.
-- The attack vector is being mitigated in hardware (HW).
-- The vector is manually disabled.

Impact:
tmm can crash and restart. Traffic disrupted while tmm restarts.

Workaround:
If you do not want to mitigate, set the mitigation_threshold to infinite.

Note: Do not disable the single endpoint vectors when an attack is ongoing and the vector is being mitigated in HW.


714642-7 : Ephemeral pool-member state on the standby is down

Component: Local Traffic Manager

Symptoms:
On a standby BIG-IP system, an ephemeral pool-members state remains user-down after re-enabling an FQDN node on the primary system.

Conditions:
Re-enabling a forced-down FQDN node on the primary system.

Impact:
On the standby system, the ephemeral pool-members are in state: user-down, (forced-down in GUI).

Workaround:
None.


714176-6 : UCS restore may fail with: Decryption of the field (privatekey) for object (9717) failed

Component: TMOS

Symptoms:
-- UCS archive restore fails
-- The Traffic Management Shell (TMSH) and/or /var/log/ltm file show following error message:
01071769:3: Decryption of the field (privatekey) for object (9717) failed. Unexpected Error: Loading configuration process failed.

Conditions:
- Restoring configuration from UCS.
- The UCS is being restored on a different BIG-IP system with a different master key.

Impact:
-- The UCS configuration is not applied.
-- The BIG-IP is not in a fully operational state.

Workaround:
If you encounter this error and dynad is not in use (dynamic debug) you can manually edit bigip_base.conf.

1. Locate the dynad config in /config/bigip_base.conf file:

For example, the dynad config will look like:
sys dynad key {
    key $M$jV$VX7HMp5q346nsTYDYFPnYdJLrBPyQSCrDTJYAz4je7KXJAC38fxtDJL35KtF66bq
}

2. Modify the dynad configuration lines to:
sys dynad key {
    key "test"
}

3, Save the updated bigip_base.conf file
4. Load the configuration with command: tmsh load sys config


713183-5 : Malformed JSON files may be present on vCMP host

Component: TMOS

Symptoms:
Malformed JSON files may be present on vCMP host.

Conditions:
All needed conditions are not yet defined.

- vCMP is provisioned.
- Guests are deployed.
- Software versions later than 11.6.0 for both guest/host may be affected.

Impact:
Some vCMP guests may not show up in the output of the command:
 tmsh show vcmp health

In addition, there might be files present named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

There is no functional impact to the guests or to the host, other than these lost tables, which are provided as a convenience to the vCMP host administrator.

Workaround:
None.


712241-7 : A vCMP guest may not provide guest health stats to the vCMP host

Component: TMOS

Symptoms:
A vCMP guest usually provides the vCMP host with some guest health statistics as a convenience to the vCMP host administrator. These stats are:
-- mgmt/tm/sys/ha-status
-- mgmt/tm/sys/software/status
-- mgmt/tm/sys/software/provision

These tables are created by the host when host vcmpd queries the guest over the vmchannel using REST.

These RESTful queries may sometimes fail, causing the queried vCMP guest to be omitted in the display of the output of the following command: $ tmsh show vcmp guest

Conditions:
-- vCMP provisioned.
-- Guests are deployed.
-- Host vcmpd queries the guest over the vmchannel using REST.

Impact:
There is no functional impact to the guests or to the host, other than these lost tables.

-- Some vCMP guests may not show up in the output of the following command: tmsh show vcmp health
-- Some guests may appear with the wrong status in the GUI. Such as being grey when it should be green.
-- Files containing guest information, kept in:
/var/run/vcmpd/<guestname>/json/(sys-ha-status.json|sys-provision.json|sys-software.json) may be missing from that directory.
-- There might be files present there named using the following structure:
 /var/run/vcmpd/<guestname>/json/sys-(ha-status|provision|software).json.bad.

Workaround:
There is no workaround at this time.


708680-4 : TMUI is unable to change the Alias Address of DNS/GTM Monitors

Component: Global Traffic Manager (DNS)

Symptoms:
TMUI (the GUI) is unable to change the Alias Address of DNS/GTM Monitors.

Conditions:
-- Using the GUI.
-- DNS/GTM monitors with alias address.
-- Attempting to change the Alias Address.

Impact:
Cannot change the Alias Address.

Workaround:
Use tmsh.


705387-4 : HTTP/2, ALPN and SSL

Component: Local Traffic Manager

Symptoms:
The SSL filter will not always add the ALPN extension.

Conditions:
If the negotiated cipher is not HTTP/2 compliant, the SSL filter may not add the ALPN extension.

Impact:
The failure to add the ALPN extension may result in the failure to negotiate the proper protocol.

Workaround:
There is no workaround at this time.


703678-4 : Cannot add 'secure' attributes to several ASM cookies

Component: Application Security Manager

Symptoms:
There is an option to add 'secure' attribute to ASM cookies.
There are some specific cookies which this option does not apply on.

Conditions:
-- ASM policy is attached to the virtual server.
-- Internal parameter 'cookie_secure_attr' flag is enabled, along with either of the following:
   + Using HTTPS traffic.
   + The 'assume https' internal parameter is also enabled.
-- Along with one of the following:
   + Web Scraping' feature is enabled.
   + 'Bot Detection' feature is enabled.
   + The 'brute force' feature is enabled using CATPCHA.

Impact:
Some cookies do not have the 'secure' attributes.

Workaround:
None.


700639-1 : The default value for the syncookie threshold is not set to the correct value

Component: Local Traffic Manager

Symptoms:
The default value for connection.syncookies.threshold should be set to 64000. Instead, this value defaults to 16384.

Conditions:
This issue may be encountered when a virtual server uses syncookies.

Impact:
The connection.syncookies.threshold value will be lower than intended, possibly resulting in lower performance.

Workaround:
Use tmsh to manually set the threshold value:
# tmsh modify sys db connection.syncookies.threshold value 64000


699758-3 : Intermittent connection resets are seen in HTTP/2 gateway when HTTP/2 preface is sent to server

Component: Local Traffic Manager

Symptoms:
HTTP/2 connection in gateway scenario is reset when HTTP/2 preface makes it to the server instead of being consumed by the BIG-IP system. The backend connection to the server in gateway scenario is an HTTP/1 connection. The connection is reset when HTTP/2 preface is sent on the backend connection instead of being consumed by the BIG-IP system.

Conditions:
HTTP/2 gateway is configured.

Impact:
HTTP/2 connection reset is seen.

Workaround:
None.


696755-6 : HTTP/2 may truncate a response body when served from cache

Component: Local Traffic Manager

Symptoms:
BIG-IP systems provide a client-side HTTP/2 Gateway protocol implementation in conjunction with HTTP 1.x on a server side. A response can be cached on the BIG-IP system with a web acceleration profile. Sometimes a response served from cache is prematurely marked with END_STREAM flag, causing the client to ignore the rest of the response body.

Conditions:
BIG-IP system has a virtual server for which HTTP/2 and Web Acceleration profiles are configured.

Impact:
Some clients' browsers do not retry a resource, causing incorrect rendering of an HTML page.

Workaround:
Adding the following iRule causes the body to be displayed:

when HTTP_RESPONSE_RELEASE {
    set con_len [string trim [HTTP::header value Content-Length]]
    HTTP::header remove Content-Length
    HTTP::header insert Content-Length "$con_len"
}


696363-5 : Unable to create SNMP trap in the GUI

Component: TMOS

Symptoms:
Trying to create a SNMP trap may fail in the GUI with the following error message: An error has occurred while trying to process your request.

Conditions:
-- Trap destinations are configured using the GUI: When trap destinations are configured in the GUI, the trap name is generated using the destination IP address.
-- Traps of the same destination address were previously created and deleted.

Impact:
GUI parameter checking does not work as expected. BIG-IP Administrator is unable to create a SNMP trap session.

Workaround:
To work around this issue when using the GUI, remove all traps that have the same destination address as the new one that failed. Then re-add your destination.

Tip: You can use tmsh to create/delete/modify SNMP traps, which enables viewing of the generated names, making it easier to understand what error has occurred.


692218-7 : Audit log messages sent from the primary blade to the secondaries should not be logged.

Component: TMOS

Symptoms:
Audit log messages sent from the primary blade to the secondaries are logged.

Conditions:
Multi-blade platform.

Impact:
Unnecessary messages in the log file.

Workaround:
None.


690928-2 : System posts error message: 01010054:3: tmrouted connection closed

Component: TMOS

Symptoms:
Beginning in BIG-IP 12.0.0, the tmrouted process pushes dynamic routes directly to the Traffic Management Microkernel (TMM). This message indicates the system is shutting down and is expected behavior during the reboot or shutdown process. The appearance of this message on a stable running system may indicate an issue with tmrouted functionality.

System posts the following message in /var/log/ltm: 01010054:3: tmrouted connection closed

Conditions:
This message occurs when all of the following conditions are met:

-- You have configured the BIG-IP system to use dynamic routing.
-- The BIG-IP system is in the process of shutting down or rebooting.

Impact:
This message is benign, unless you view the message on a stable running system. In this case, the message may indicate an issue with the tmrouted process.

Workaround:
None.


689147-4 : Confusing log messages on certain user/role/partition misconfiguration when using remote role groups

Component: TMOS

Symptoms:
When using remote role groups to set user/role/partition information, user login fails, but logs in /var/log/secure indicate that authentication was successful.

Errors similar to the following appear in /var/log/ltm:

-- User restriction error: The administrator, resource administrator, auditor and web application security administrator roles may not be restricted to a single partition.
-- Input error: invalid remote user credentials, partition does not exist, broken-partition

Errors similar to the following appear in /var/log/secure:

tac_authen_pap_read: invalid reply content, incorrect key?

Conditions:
Using remote role groups to set user/role/partition information for remote users, and either of the following:
-- A remote user is configured with the role of administrator, resource administrator, auditor, or web application security administrator, with access to a particular partition, rather than all. (These roles require access to all partitions.)
-- A remote user is configured with partition access set to a partition that does not exist on the BIG-IP system.

Impact:
The messages in /var/log/secure may be confusing and make it more difficult to diagnose the login failure.

Workaround:
Check /var/log/ltm for more specific error messages.


675911-10 : Different sections of the GUI can report incorrect CPU utilization

Solution Article: K13272442

Component: TMOS

Symptoms:
The following sections of the GUI can report incorrect (i.e., higher than expected) CPU utilization:

- The "download history" option found in the Flash dashboard

-- Statistics :: Performance :: Traffic Report (section introduced in version 12.1.0).

-- Values such as 33%, 66% and 99% may appear in these sections despite the system being potentially completely idle.

Conditions:
HT-Split is enabled (this is the default for platforms that support it).

Impact:
The CPU history in the exported comma-separated values (CSV) file does not match actual CPU usage.

Workaround:
You can obtain CPU history through various other means. One way is to use the sar utility.

In 12.x and 13.x:
  sar -f /var/log/sa6/sa
or for older data
  sar -f /var/log/sa6/sa.1
The oldest data is found compressed in /var/log/sa6 and must be gunzipped before use.

In 11.x:
  sar -f /var/log/sa/sa
or for older data
  sar -f /var/log/sa/sa.1
The oldest data is found compressed in /var/log/sa and must be gunzipped before use.

Live CPU utilization also can be obtained through various other means. Including: the Performance Graphs, SNMP polling, iControl polling, various command-line utilities such as top, etc.


675772-3 : IPsec tunnels fail when traffic-selectors share one IPsec interface mode policy

Component: TMOS

Symptoms:
When IPsec tunnels to several different peers are configured using a single ipsec-policy in interface mode, the tunnels will be unreliable or may not start.

Conditions:
Several traffic-selectors that are associated with different tunnels reference the same interface mode IPsec policy.

Note: It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.

Impact:
IPsec tunnels may start but fail after a period of time. In other cases, IPsec tunnels may not start at all.

Workaround:
(1) Create a unique ipsec-policy configuration object for each remote peer and traffic-selector.
(2) Use tunnel mode. It is not possible to create this configuration when the IPsec policy is tunnel or transport mode.


673573-7 : tmsh logs boost assertion when running child process and reaches idle-timeout

Component: TMOS

Symptoms:
An idle-timeout occurs while running a sub-process in interactive mode, resulting in a log message. tmsh logs a benign but ominous-looking critical error to the console and to /var/log/ltm if a tmsh command reaches idle timeout and a spawned sub-process is still running.

The errors in /var/log/ltm begin with the following text:
    'boost assertion failed'

Conditions:
-- tmsh command reaches idle timeout.
-- Spawned sub-process is still running.

Impact:
Although the wording indicates a failure, the message is benign and you can safely ignore it.

Workaround:
None.


662301-1 : 'Unlicensed objects' error message appears despite there being no unlicensed config

Component: TMOS

Symptoms:
An error message appears in the GUI reading 'This device is not operational because the loaded configuration contained errors or unlicensed objects. Please adjust the configuration and/or the license, and re-license the device.' Examination of the configuration and license shows that there are no configuration error or unlicensed configuration objects. The device is operational.

Conditions:
The BIG-IP system is licensed and the configuration loaded.

Impact:
Error message appears in the GUI stating that the device is not operational. However, the device is operational.

Workaround:
Restart mcpd by running the following command:
bigstart restart mcpd


658943-4 : Errors when platform-migrate loading UCS using trunks on vCMP guest

Component: TMOS

Symptoms:
During platform migration from a physical BIG-IP system to a BIG-IP vCMP guest, the load fails with one of these messages:

01070687:3: Link Aggregation Control Protocol (LACP) is not supported on this platform. Unexpected Error: Loading configuration process failed.

01070338:3: Cannot create trunk [name of trunk], maximum limit reached Unexpected Error: Loading configuration process failed.

Conditions:
-- The source device is a physical BIG-IP device with one or more trunks with or without LACP in its configuration.
-- The destination device is a vCMP guest.

Impact:
The platform migration fails and the configuration does not load.

Workaround:
You can use either of the following Workarounds:

-- Remove all trunks from the source configuration prior to generation of the UCS.

-- After the UCS load fails, edit the configuration manually on the destination to remove trunk references, and then reload the configuration.


658850-4 : Loading UCS with the platform-migrate parameter could unexpectedly set or unset management DHCP

Component: TMOS

Symptoms:
When you load a UCS file using the platform-migrate parameter, the mgmt-dhcp value (enabled, disabled, or unset) will overwrite the value on the destination. Depending on the effect, this could change the destination's management IP and default management route.

If the UCS does not have mgmt-dhcp explicitly written out, note that its value is treated as the default for the local system, which varies by the type of system. On Virtual Edition (VE) platforms, the default is to enable DHCP. On all other platforms, the default is to disable DHCP.

Conditions:
This occurs when loading a UCS using the platform-migrate parameter:
tmsh load sys ucs <ucs_file_from_another_system> platform-migrate

Impact:
Changing the mgmt-dhcp value on the destination can result in management changing from statically configured to DHCP or DHCP to statically configured. This can result in loss of management access to the device, requiring in-band or console access.

Workaround:
If you want to reset the target device to use a static IP, run the following commands after loading the UCS with the platform-migrate command:

tmsh modify sys global-settings mgmt-dhcp disabled
tmsh create sys management-ip <ip>/<mask>
tmsh delete sys management-route default
tmsh create sys management-route default gateway <ip>


648242-7 : Administrator users unable to access all partition via TMSH for AVR reports

Solution Article: K73521040

Component: Application Visibility and Reporting

Symptoms:
Using the TMSH for AVR reports can fail if it contains partition based entities, even with an administrator user (which should have permissions to all partitions).

Conditions:
Using the TMSH for querying partitioned based stats with an administrator user.

Impact:
AVR reports via TMSH will fail when using partition based entities.

Workaround:
None.


646768-5 : VCMP Guest CM device name not set to hostname when deployed

Solution Article: K71255118

Component: TMOS

Symptoms:
When you access the vCMP guest instance after you deploy the system, the instance uses the hostname bigip1.

Conditions:
This issue occurs when all of the following conditions are met:

-- The BIG-IP system is running v11.6.0 or earlier.
-- You configure a vCMP guest instance that is running BIG-IP v11.6.0 or later.
-- You have configured the vCMP guest instance with a hostname other than bigip1.
-- You deploy the vCMP guest instance.

Impact:
The vCMP guest does not use the configured hostname.

Workaround:
-- In tmsh, run the following commands, in sequence:

 mv cm device bigip1 HOSTNAME
 save sys config

-- Rename the device name in the GUI.


625807-2 : Tmm cores in bigproto_cookie_buffer_to_server

Component: Local Traffic Manager

Symptoms:
TMM cores on SIGSEGV during normal operation.

Although the exact triggering conditions are unknown, it might that when a connection is aborted in a client-side iRule, the reported log signature may indicate its occurrence:

tmm3[11663]: 01220009:6: Pending rule <irule_name> <HTTP_REQUEST> aborted for <ip> -> <ip>.

Conditions:
Specific conditions that trigger this issue are unknown.

Impact:
Traffic disrupted while tmm restarts.

Workaround:
None.


603693-1 : Brace matching in switch statement of iRules can fail if literal strings use braces

Solution Article: K52239932

Component: TMOS

Symptoms:
In the TMUI on any iRule editing page, brace matching within a switch statement can fail if a literal string is surrounded with braces.

Conditions:
Use a literal string surrounded with curly braces for a case/pattern within a switch statement.

Impact:
Incorrect brace matching.

Workaround:
Instead of surrounding the literal string with braces, use double quotes.


554228-10 : OneConnect does not work when WEBSSO is enabled/configured.

Component: Access Policy Manager

Symptoms:
OneConnect is a feature that reuses server-side connections. When WEBSSO is enabled, it always creates a new server-side connection, and doesn't reuse pooled connections.

Conditions:
WEBSSO and OneConnect.

Impact:
Idle serverside connections that should be eligible for reuse by the virtual server are not used. This might lead to build-up of idle serverside connections, and may result in unexpected 'Inet port exhaustion' errors.

Workaround:
None.


528894-5 : Config sync after sub-partition config changes results extra lines in the partition's conf file

Component: TMOS

Symptoms:
Config sync after sub-partition config changes results extra lines in the partition's conf file.

Conditions:
Make changes under any partition except /Common and then config sync without overwrite.

Impact:
/config/partitions/partition_name/bigip_base.conf in the partitions folder has trunk and ha-group configuration. /config/bigip_base.conf no longer has the trunk and ha-group configuration.

Workaround:
'Sync Device to Group' with 'Overwrite Configuration' enabled.


499348-12 : System statistics may fail to update, or report negative deltas due to delayed stats merging

Component: TMOS

Symptoms:
Under some conditions, the BIG-IP system might fail to report statistics over time. This can manifest as statistics reporting unchanging statistics (e.g., all zeroes (0)), or as sudden spikes in traffic, or as negative deltas in some counters.

The system performance graphs will also appear to have gaps / be missing data at the times that this occurs.

Conditions:
This occurs when there are frequent changes occurring to the underlying statistics data structures. This might occur under the following conditions:

-- The system is spawning/reaping processes on a frequent basis (e.g., when there is a large number of external monitors).

-- iRules are frequently using 'SSL::profile' to select different SSL profiles on a virtual server (this can cause per-virtual server, per-profile statistics to be created and deleted on a regular basis).

Impact:
Statistics fail to merge, which results in incorrect view of system behavior and operation.

Workaround:
This issue has two workarounds:

1. Reduce the frequency of changes in the statistics data structures. The specific action to take depends on what is triggering them. To do so, use any or all of the following:

-- Reduce the frequency of configuration changes.
-- Reduce the use of 'SSL::profile' in iRules.
-- Reduce the number/frequency of processes being spawned by the system.

2. Switch statistics roll-ups to the 'slow_merge' method, which causes the system to spend more CPU merging statistics. To do so, set the 'merged.method' DB key to 'slow_merge' using the following command:
    tmsh modify sys db merged.method value slow_merge.


489572-6 : Sync fails if file object is created and deleted before sync to peer BIG-IP

Solution Article: K60934489

Component: TMOS

Symptoms:
Sync fails if you create/import a file object and delete it before triggering manual sync; ltm logs contain messages similar to the following:

Standby:
-- err mcpd[7339]: 01070712:3: Caught configuration exception (0), Failed to sync files..
-- err mcpd[7339]: 01071488:3: Remote transaction for device group /Common/test to commit id 42 6079477704784246664 /Common/test failed with error 01070712:3: Caught configuration exception (0), Failed to sync files...

Active:
-- err mcpd[6319]: 0107134a:3: File object by name (/Common/filename) is missing.

Conditions:
This occurs when the following conditions are met:
-- BIG-IP systems configured for high availability (HA) are not configured to sync automatically, and incremental synchronization is enabled (these are the default settings).
-- One or more file objects are created and deleted before performing a sync from Active to Standby.

Impact:
Sync fails.

Workaround:
When you create/add a file object, make sure to sync before deleting it.

If a system is already in this state, perform a full sync and overwrite the configuration, as described in K13887: Forcing a BIG-IP device group member to initiate a ConfigSync operation :: https://support.f5.com/csp/#/article/K13887.


486712-8 : GUI PVA connection maximum statistic is always zero

Component: TMOS

Symptoms:
The GUI PVA connection maximum statistic is always zero, regardless of the number of PVA connections established.

Conditions:
This occurs when fastL4 connections are used.

Impact:
The customer cannot determine the maximum number of PVA connections because the stat is always zero.


469724-4 : When evaluation/demonstration features expire, features enabled by both evaluation and perpetual licenses also expire

Component: TMOS

Symptoms:
Evaluation features cause perpetual features to expire when the evaluation license expires.

Conditions:
-- Perpetual license with an evaluation/demonstration add-on feature.
-- The add-on license expires or is expired.

Impact:
When an evaluation/demonstration add-on license expires, features included in both the evaluation add-on as well as the regular, perpetual license stop working.

This behavior is covered in F5 article K4679: BIG-IP evaluation and demonstration licenses do expire :: https://support.f5.com/csp/article/K4679.

Workaround:
To work around this issue, activate the license from the command line:

When reactivating an existing license, and deactivating an expired evaluation license key, specify the base registration key and add-on (if any), and use the -i option for the expired evaluation license key in the get_dossier command.

For example, if the expired evaluation license key is ABCDEFG-ZZZZZZZ, use the following command:

get_dossier -b ABCDE-ABCDE-ABCDE-ABCDE-ABCDEFG -a ABCDEFG-ABCDEFG -i ABCDEFG-ZZZZZZZ

You can find these steps detailed in K2595: Activating and installing a license file from the command line :: https://support.f5.com/csp/article/K2595. This part in particular is required to work around this issue


431503-9 : TMSH crashes in rare initial tunnel configurations

Solution Article: K14838

Component: TMOS

Symptoms:
In rare BigIP configuration scenarios, TMM may crash during its startup process when the tunnel configurations are loaded.

Conditions:
During TMM startup, a tunnel is created, then immediately removed during the configuration load period, when TMM neighbor messages may be in flight via the tunnel. When the race condition fits, the neighbor message may land on an invalid tunnel.

Impact:
TMM crash in rare race conditions.

Workaround:
None.


398683-5 : Use of a # in a TACACS secret causes remote auth to fail

Solution Article: K12304

Component: TMOS

Symptoms:
TACACS remote auth fails when the TACACS secret contains the '#' character.

Conditions:
TACACS secret contains the '#' character.

Impact:
TACACS remote auth fails.

Workaround:
Do not use the '#' character in the TACACS secret.


385013-1 : Certain user roles do not trigger a sync for a 'modify auth password' command

Component: TMOS

Symptoms:
If users with the certain roles change their password, the BIG-IP system does not detect that it is out-of-sync with its peer and does not trigger an automatic sync:

Conditions:
-- Multiple BIG-IP devices in a Device Service Cluster that sync configurations with each other.
-- A user with one of the following roles logs in and changes their password:
  + guest
  + operator
  + application-editor
  + manager
  + certificate-manager
  + irule-manager
  + resource-admin
  + auditor

Impact:
The system does not detect that it is out of sync with its peer, and does not report this condition. If automatic sync is enabled, a sync does not automatically occur.

Workaround:
Force a full sync to the peer systems.


382363-2 : min-up-members and using gateway-failsafe-device on the same pool.

Solution Article: K30588577

Component: TMOS

Symptoms:
The system does not require setting a pool's min-up-members greater than 0 (zero) when also using gateway-failsafe-device on the same pool.

Conditions:
A pool's min-up-members is 0 when gateway-failsafe-device is set.

Impact:
Failure to set min-up-members greater than 0 when using gateway-failsafe-device might cause errors. The tmm might crash.

Workaround:
Set min-up-members greater than 0 when using gateway-failsafe-device.




This issue may cause the configuration to fail to load or may significantly impact system performance after upgrade


*********************** NOTICE ***********************

For additional support resources and technical documentation, see:
******************************************************